Cross-Enterprise User Assertion (XUA) Profile

From IHE Wiki
Jump to navigation Jump to search

Introduction

This is a draft of the Cross-Enterprise User Assertion Profile (XUA) supplement to the ITI Technical Framework. This draft is a work in progress, not the official supplement or profile.

Profile Abstract

The Cross-Enterprise User Assertion Profile (XUA) defines a set of trustable claims about an authenticated principal (user, application, system...) to use in transactions that may cross enterprise boundaries. To provide accountability in these cross enterprise transactions there is a need to identify the requesting authenticated principal in a way that the receiver can make access decisions and proper audit entries. The XUA Profile will be applicable to enterprises that have chosen to have their own user directory with their own unique method of authenticating the users, and others that may have chosen to use a third party.

Issue Log

See Cross-Enterprise User Assertion - Discussion

Glossary

Add the following items to the Glossary
XUA
Cross-Enterprise User Assertion (Formerly Cross-Enterprise User Authentication)
User Assertion
a set of claims about an authenticated principal (user, application, system...) that is issued by a trusted identity provider
Principal
An end user, an application, a machine, or any other type of entity that may act as a requester in a transaction. A principal is typically represented in a transaction with a digital identity and the principal may have multiple valid digital identities to use with different transactions -- (modified from Source WS-Federation)

Volume I

Add the following bullet to the list of profiles in section 1.7
  • The Cross-Enterprise User Assertion Profile (XUA) - provides a means to establish the user identity of an authenticated principal (user, application, system...) in transactions that cross enterprise boundaries. To provide accountability in these cross enterprise transactions there is a need to identify the requesting user in a way that the receiver can make access decisions and proper audit entries. The XUA Profile will support enterprises that have chosen to have their own user directory with their own unique method of authenticating the users, and others that may have chosen to use a third party to perform the authentication.

Dependencies

Add the following row(s) to the list of dependencies in section 2.1
Integration Profile Dependency Dependency Type Purpose
Cross-Enterprise User Assertion None None 
Add the following section to the section 2.2

2.2.n Cross-Enterprise User Assertion (XUA)

Cross-Enterprise User Assertion (XUA) defines a set of trustable claims about an authenticated principal (user, application, system...) using a transactions that may cross enterprise boundaries. To provide accountability in these cross enterprise transactions there is a need to identify the requesting user in a way that the receiver can make access decisions and proper audit entries. The XUA Profile will support enterprises that have chosen to have their own user directory with their own unique method of authenticating the users, and others that may have chosen to use a third party. 


Add the following section to Vol 1

Cross-Enterprise User Assertion (XUA) Integration Profile

The Cross-Enterprise User Assertion Profile (XUA) defines a set of trustable claims about an authenticated principal (user, application, system...) using a transactions that may cross enterprise boundaries. To provide accountability in these cross enterprise transactions there is a need to identify the requesting user in a way that the receiver can make access decisions and proper audit entries. The XUA Profile will support enterprises that have chosen to have their own user directory with their own unique method of authenticating the users, and others that may have chosen to use a third party.

There are transactions defined by IHE that cross enterprise boundaries. The existing IHE profiles for an authenticated user identity (EUA) will not function in cross-enterprise transactions. In a cross-enterprise environment it is more likely that the transactions will be going between two enterprises that maintain their own independent user directories (PWP). This type of requirement is the focus of the Identity Federation standards. Identity Federation has received much attention by the security and the platforms industry. Identity Federation is agnostic to the type of user directory, it allows for a centralized user directory, but also supports the more powerful federation of user directories. Identity Federation also supports many methods of user authentication (password, biometrics, smartcard) and can include details about the method(s) used.

The XUA Profile leverages Web-Services Security, SAML 2.0 Token Profile and the various profiles from W3C, OASIS, and WS-I to support identity federation. In this way we will be able to take advantage of the vast experience of the communities outside of healthcare standards. This profile will be leveraging the experience of a few programs around the globe that have started work with SAML in healthcare. Most of these projects are applying SAML to XDS as we expect to be doing in the first year.

Discussion about the creation of this profile can be found at Cross-Enterprise User Assertion - Discussion

Use Cases

This profile will likely take two years to fully fill out. In the first year we will be focusing only on XDS.b Document Consumer Actor: XDS.b Registry Stored Query and XDS.b Retrieve Document Set transactions. The motivator for this is that these are the most exposed transactions that IHE has defined; their use is expected to be from a wide variety of consuming applications and enterprises; and they utilize modern Web-Services standards.

A worst case for the XUA profile is where the use-cases involve at least two different trust domains that are operating under different technology, procedures, role-models, etc. They are cooperating in the XDS Affinity domain under an overarching trust relationship policy that indicates that these differences can be rationalized. The XDS transactions are transferring access control from one entity to another. For example, they will be using XDS to exchange data between a single doctor practice, the VA, and Mass. General. It is not likely that they will all agree to the same access control model. It is not necessary to have the same access control across these entities, but it is reasonable that at the policy level they will agree to a set of processing rules. This illustrates an important fact that the XUA is useful for security audit logging, but is to a lesser extent useful for access controls.

  1. Country that provisions users into a single assigning authority domain (e.g., Germany) and handles all user authentication requests
    • Support for centralized user directories
  2. Region that knits together many competing hospitals and clinics where each hospital/clinic manages their own users.
    • Support for distributed user directories
  3. Patient that wishes to use their ISP as their authentication authority uses a PHR like application to access their own information in XDS.
    • Support for non-healthcare specific user directories
  4. Hospital issues identity badges with picture and name printed, RFID for building access, and smart-card for strong authentication
    • Support for claims about the method used to authenticate the user (e.g. strong authentication methods such as smart-cards)
  5. Small clinic in a rural setting supports a dozen users.
    • Support for small scale systems (e.g., user at a kiosk, system using simple passwords)
  6. General practice doctor retrieving results of a test performed by an outpatient clinic, where the outpatient clinic wants to have an audit trail specific to the user requesting.
    • Support for the service provider to get a user identity for audit log purposes
  7. System, based on a scheduled procedure, pre-fetches the available documents so that it can determine a relevant few documents to offer to the doctor when the patient arrives.
    • Support for identifying the user as the system for tasks that are not initiated by a human user
  8. Access of a document by an individual that can’t be identified because the Assertion Provider is not accessible
    • Support for infrastructural failure **** Not clear if this is in scope, or is a performance criteria for implementer ****
  9. User using Registry or Repository where the service provider wants to be assured that the user has been authenticated to a specific assurance level. This is not a case of not trusting the system, but recognition that the requesting supports different levels of authentication. For example the system supports a proximity card as a form of authentication, as well as Smart-Card with PIN. This is not a replacement for ATNA access controls which give distributed access controls.
    • User Identity with level of assurance of that identity is needed.
  10. Specialized XDS for Emergency Dataset. In this case the transfer of information to the XDS Consumer is not critical to fully control, and thus the administration is willing to accept requests from any system as long as they can provide a user-assertion from a trusted source. This trusted-source may be a specialized IDP for First Responders. (See RSA Pilot)
    • In this case only a user identity with proper linkage to a trusted IDP is needed. No specific attributes are needed.
  11. User using a Cross-Community-Gateway needs to provide a user assertion that can be utilized by the Cross-Community-Gateway.
    • Where the Cross-Community-Gateway needs to act-on-behalf of the requester, this will require that the Assertions can be re-purposed (delegation) for the next Bridge or Reg
  12. User acting in an identified clinical role accesses the Registry where the Registry wants to know the user identity and the role they are acting in to record the identity and role in the audit log.
    • Support inclusion of functional roles as named vocabulary
    • The Role of the user as the data subject (patient)
  13. Service provider wants to enforce some form of access controls based on the user identity and/or functional role.
    • Support for the service provider to augment access controls based on some non-specified rules that are applied to the user and/or functional role
  14. Doctor in an emergency situation request to retrieve documents that would under normal conditions would not be accessible because the privacy consent (BPPC) has restricted access
    • Support for Emergency override (aka Break-Glass) *** Not clear what affect this has on XUA ***

XUA Requirements

The vast majority of the use-case (items 1-12) rely on the establishment of an authenticated assertion which a SAML 2.0 Assertion can provide. This is a mature standard produced by OASIS. For our first year we have two transactions that utilize Web-Services, and thus we will specify that when a Cross-Enterprise User Assertion is needed that these Web-Services transactions will additionally use the Web-Services Security header with a SAML 2.0 Token containing the identity Assertion. As with any IHE profile, the applications are not forbidden to use other methods of providing the user (principal) identity.

Architectural Requirements

  • mature standards based
  • solution readily available
  • fit with existing authentication experience
  • no architectural difference between citizens, employees, processes, companies (principal)
  • scalable (small, large, third party)
  • distributed (multiple authority, discovery, flexible)
    • support central authority, but not required (no 'big brother')
  • attributes exposed are controlled (user identity not overly exposed)
    • minimal attributes needed are known (service clear what they need)

Advanced Architectural Requirements

  • automatic discover is less important (is useful, but not critical)
  • delegation is useful but not critical in first year
  • pseudonym is useful but not critical in first year
  • support for DICOM, HL7, Browsers, etc
  • assertion system can be used to digitally sign documents or transactions

This profile will show how to reference a SAML 2.0 Identity Assertion in an ATNA Audit Message.

The method of authenticating the user (principal) and the method that the XDS-Consumer uses to get the SAML 2.0 Identity Assertion is outside the scope of this profile. There is no identified interoperability problem in this transaction as the space is well specified and products certified by Liberty Alliance. One method of authenticating the user is defined in the Enterprise User Authentication Profile. When EUA is used to authenticate the user, this profile will show how to obtain the SAML 2.0 Assertion. A specialization of this interaction is when the user is using a web browser and the XDS-Consumer actor is implemented by web-middleware. In this case the SAML Browser SSO Profile may be utilized by the middleware to obtain the SAML 2.0 Assertion. All other authentication types are left undefined, but allowed. '(Roberto indicatates this is out of scope)'

There are user (principal) attributes that appear to be needed in the use-cases: Doctor, Patient, Guardian, Emergency-Access. The SAML 2.0 Identity Assertion can contain attributes about the user (principal). At this time it is not clear what standards to use to identify these attributes and their values, so this is left to specific implementations that have defined a local vocabulary or vocabulary translation.

The method used by the XDS-Consumer to determine the contents of the SAML 2.0 Assertion is outside the scope of this profile. This profile will show in an informative way how to utilize SAML Metadata, and WS-Policy.

It is expected that extending this solution to HL7 and DICOM will be supported in the future.

Actors/Transaction

Cross-Enterprise User Assertion Actor Diagram
Actor Transaction Optionality Section
Cross-Enterprise User Assertion Actors and Transactions
X-Service User Provide X-User Assertion R ITI-A
X-Service Provider Provide X-User Assertion R ITI-A

Options

Actor Option Section
Cross-Enterprise User Assertion Options
X-Service User None
X-Service Provider None

Grouping

Process Flow

Cross-Enterprise User Assertion Process Flow

In the above flow we are showing more actors than are specified in this profile. The User Authentication Provider, User Directory Provider and X-Assertion Provider are not profiled here, but rather are shown to give a context to the XUA transactions.

In this figure the dark lines represent the X-User Assertion transaction. The thin lines represent other standards based transactions that may be used. WS session A and B show an example where one X-User Assertion is used to cover two Web-Services transactions. Where WS Session C is using a different X-User Assertion. This may be due to a different user, timeout of the previous X-User Assertion, or some other reason.

Actor Definitions

Add the following Actor Summary Definitions in Appendix A
X-Assertion Provider
This is a SAML Identity Provider (IDP) or WS-Trust Security Token Service (STS), and is not further specified by IHE.
X-Service User
This is the system making a web-services request. In the first year this is the XDS-Document Consumer Actor.
X-Service Provider
This is the system providing the web-service. In the first year this is the XDS-Document Registry and XDS-Document Repository Actors.

Transaction Definitions

Add the following Transaction Summary Definitions in Appendix B
Provide X-User Assertion
This transaction provides a trustable user assertion from the service user to the service provider

Volume II

Add the following Transaction to Volume II

Provide X-User Assertion

This section corresponds to Transaction ITI-XXX of the IHE IT Infrastructure Technical Framework.

Scope

Transaction ITI-XXX is used by the X-Service User to pass a trustable identity assertion to the X-Service Provider. The X-Service User and X-Service Provider use the 'X-Assertion Provider' as the trusted third party issuer of the trustable identity assertion.

Use Case Roles

XUA UseCaseRoles 01.jpg
Actor
X-Service User
Role
User of a transaction that requires a Cross-Enterprise User Assertion
Actor
X-Service Provider
Role
Service provider on a transaction that requires a Cross-Enterprise User Assertion
Actor
X-Assertion Provider
Role
Source of Cross-Enterprise User Assertions

Referenced Standards

Normative -- required to use this profile

Informative -- assist with understanding or implementing this profile

Interaction Diagram

X-User Assertion Messages

X-User Assertion

The X-User Assertion is profiled to assure interoperability between a X-Service User and an X-Service Provider that need an Assertion about the entity requesting the service. There are many ways to provide an Assertion that are all acceptable and may be used by parties that have agreed to their use.

The X-User Assertion transaction shall be used when there is no other agreed upon policy. It is expected that in the future WS-SecurityPolicy published by the X-Service Provider will be sufficient to ensure interoperability.

The X-User Assertion is specified for the XDS.b Registry Stored Query and XDS.b Retrieve Document Set transactions. Use beyond these two transactions is possible but not specified.

Trigger

Configuration of the X-Service Provider and X-Service User indicates when the X-User Assertion transaction is necessary.

Message Semantics
  • The Web-Services Transaction shall be protected against confidentiality, integrity, and authenticity using TLS following the ATNA profile.
  • The Web-Services Transaction shall include the Web-Services Security Header.
  • The Web-Services Security Header shall include a SAML 2.0 Token.
  • The SAML 2.0 Token shall contain:
    • The entity identifier that initiated the Web-Services transaction. This entity identifier should represent the human user, or delegated human user. This entity identifier may represent the system process or other appropriate entity identity.
    • The SAML Token shall contain AuthnS Statement
    • The SAML Token shall have the subject populated
    • The SAML Token may contain other statements (e.g. Attributes)
    • The SAML Token shall be signed by the IDP
    • The SAML Token shall be used in ATNA Audit Messages
Expected Actions
  • The X-Service Provider is expected to process the Web-Services Security header in accordance to the WSS, WS-Trust, and SAML 2.0 processing rules.
  • The X-Service Provider may use standards transactions to communicate with the X-Assertion Provider (e.g. WS-Trust, SAML Protocol)
  • The X-Service Provider shall utilize the identity in any appropriate ATNA audit log messages that result from the transaction (success/failure).
    • need to provide ATNA encoding rules
  • The X-Service Provider may utilize the identity in access control decisions. Appropriate error messages, not defined here, shall be returned.

Out Of Scope

  • XUA does not specify any Attributes
  • XUA does not specify how the service user gets the assertion
  • XUA does not specify how the service provider validates the assertion
  • XUA does not specify how the service provider gets further attributes
Retrieved from "http://wiki.ihe.net/index.php?title=Cross-Enterprise_User_Assertion_(XUA)_Profile&oldid=4954"