Introduction

IHE has defined a profile for Enterprise User Authentication (EUA) and Personnel White Pages (PWP) for use within an enterprise. The IHE is now defining transactions that cross enterprise boundaries, specifically the XDS profile and others that create an Affinity Domain. When transactions cross enterprise boundaries the mechanisms found in the EUA and PWP profile are insufficient and often nonfunctional. To provide accountability in these cross enterprise transactions there is a need to identify the requesting user in a way that the receiver can make access decisions and proper audit entries.

Cross-Enterprise User Authentication (XUA) profile will provide the user identity in transactions that cross enterprise boundaries. Enterprises may choose to have their own user directory and their own unique method of authenticating. To provide accountability in these cross enterprise transactions there is a need to identify the requesting user in a way that the receiver can make access decisions and proper audit entries.

Plan

1. The use-cases need to be updated to be more clinical and less technical
   1. To better communicate what we are providing
   2. To better uncover the requirements for the transactions
2. Maturity concerns
   1. There still is very limited support for SAML 2.0. The vendors are all working on it. The SAML community is all unified that 2.0 is the right one for future work. The problem appears to be vendors trying to get some revenue on existing development.
   2. WS-I and WS-SX appear to be maturing on target.
3. decide scope
   1. are we only going to focus on web-services transactions? (no support for HL7 v2 MMLP or dicom or wado or RID)
   2. we should focus year one on XDS-Query with an assumed Affinity domain Policy.
   3. Strong (Charles) request to include XDS-Retrieve as well.
      1. Would likely need to have a WS version of Retrieve. Where the old HTTP-GET retrieve never supports user (XUA) identities, where the new one has support.
      2. HITSP Emergency Responder usecase – repository wants to know the user identity that it is handing over information to.
   4. There is evidence that the XDS-Query is more likely to be done by an automated process, where as the XDS-Retrieve is more likely to be attributable to a specific user.
4. Produce a roadmap that shows how to get this done in multi-year.

References

• Cross-Enterprise User Authentication Draft September 12, 2006  : Tech Editor: John Moehrke
• Implementation Experiences On IHE XUA and BPPC December 5, 2006; Tuncay Namlı and Asuman Dogac, Software Research and Development Center, Middle East Technical University, Ankara, Turkey
  • Also at http://www.srdc.metu.edu.tr/publications