 |
Return to detail page at www.hitsp.org | HITSP/C19 |
| Prev TOC Next |
| HOME | ABOUT | MEMBERSHIP | NEWS & ANNOUNCEMENTS | MEETINGS | FAQ | CONTACT US | | Powered by American National Standards Institute |
|
Return to detail page at www.hitsp.org | HITSP/C19 |
| Prev TOC Next |
HITSP defines Interoperability Specifications that specify a set of transactions, the content, and the representation of the content for the exchange of information within a defined context between a service consumer and a service provider. This loose coupling is one of the concepts behind a Services Oriented Architecture (SOA). In this type of architecture there is a need for the service provider to be able to obtain a trustable identity of the user that has initiated or triggered the transaction. This method of defining a set of claims about an identity is an assertion. In many of the HITSP transactions there is no direct user and the action is undertaken by an automated process. For this reason, this construct identifies the roles and behaviors of an entity. The service provider may be part of a different security domain, and thus not directly under the same security controls that have defined the method used to authenticate a human user. This user authentication and all of the identity management (provisioning, role engineering, attribute management, etc) are orthogonal to the assertion, although critical to its makeup.
This Component focuses on the concept of an assertion service participating in a transaction as the Service Provider interface(s). This service supports a variety of authentication mechanisms, and is the means by which other interface(s)s within HITSP Interoperability Specifications obtain an identity assertion.
The following are the requirements derived from the AHIC Use Cases for the authentication and assertion of users:
1. Entities are asserted to assure that the entity is the person or application that claims the identity.
In addition, the Entity Identity Assertion Component is meant to apply to the following scenarios as defined in the HITSP Interoperability Specifications:
2. User using a Document Registry or Document Repository where the Service Provider wants a user identity for additional detail in their audit log.
3. User using a Document Registry or Document Repository where the Service Provider wants to be assured that the user has been authenticated to a specific assurance level.
4. User using a Document Registry or Document Repository where the Service Provider wants to impose additional access controls.
5. User using a Document Registry or Document Repository is the consumer. The consumer is using an authorized PHR service which is handling the Document Consumer responsibilities. The Service Provider wants to restrict the information returned to those that have been released for consumer consumption (for example a lab result that regulations require the provider to discuss in person before releasing the information).
Table 2-1 Component Constraints
|
Component Constraint |
|
Construct is constrained to HITSP interactions that require that a user identity is conveyed |
Table 2-2 Component Dependencies
|
Construct |
Depends On |
Dependency Type |
Purpose |
|
HITSP/C19 Entity Identity Assertion |
HITSP/TP13 Manage Sharing of Documents (provisional on its update to use XDS.b) |
General |
This construct utilizes IHE XUA and specifies the use of SAML 2.0 assertions, both which require the adoption of IHE XDS.b. |
For the purposes of this Component, pre- and post- conditions, as well as triggers and outputs, are also identified. A Unified Modeling Language (UML) sequence diagram is provided to show the high-level outline of how the Component works.
Table 2-3 Data Mapping
|
Data Element |
Description |
Limit/Range of values |
Data Source |
Destination |
Requirements/ |
|
No applicable data mappings |
This section provides additional guidelines and examples that support the underlying base or composite standards for this Component. It describes how these specifications differ from the underlying standards, and provides guidelines and examples for implementation.
See the following sections for additional information about this Component.
This section describes the necessary pre-conditions that must be in place prior to the onset of the workings of the Component. The pre-conditions are used to convey any conditions that must be true at the outset of a Component. They describe the context that must be established before the Component is executed. They are not however the triggers that initiate the Component. Where one or more pre-conditions are not met, the behavior of the Component should be considered uncertain.
Table 2-4 Pre-conditions
|
Pre-condition |
|
Entities must have been identified and provisioned (credentials issued, privileges assigned) |
|
Audit services are initialized as outlined in the HITSP/T15 Collect and Communicate Security Audit Trail Transaction |
|
Secure channels are initialized in accordance with HITSP/T17 Secured Communication Channel Transaction |
|
All interface(s)s are synchronized to a consistent time base by the HITSP/T16 Consistent Time Transaction |
This section describes the process triggers, including interface(s)s and/or processes, which are necessary to start the Component. They can invoke an automatic or manual process or result that in turn starts off the Component. A process trigger is not the same as a pre-condition that describes a context that needs to be in place at the start of the event.
Table 2-5 Process Triggers
|
Process Trigger |
|
Entity successfully connects to a local authentication mechanism and provides identity credentials and authentication information |
This section provides an overview of the post-conditions or results that must occur at the end of the Component in order for the Component to be deemed successfully completed. This includes any required outputs from the Component, or specific interface(s) states.
Table 2-6 Post-conditions
|
Post-condition |
|
Entity has authenticated |
|
An error condition occurs. This can include errors in the verification step malformed assertion; assertion from a distrusted identity provider; assertion from individual without enough information to perform verification; or identity provider is unknown |
|
Entity identity assertion is verified |
The following post-conditions are noted:
1. There may be an additional post-condition of the assertion being reformulated for application-specific usage. This is outside the scope of this Component as it is an implementation-specific detail.
2. There may be an additional post-condition of conveying authentication and/or assertion information. This is outside the scope of this Component as it is an implementation-specific detail.
Table 2-7 Required Outputs
|
Required Output |
Format/Usage |
|
The results of the assertion are made available to the assertion provider |
SAML assertion |
|
A security audit event is generated |
a specific audit event will be generated specific to the vocabulary required to generate that event |
|
Authentication information that was verified is available |
Standards for minimum core set of required data are specific to a domain or organization |
In subsequent iterations of this Component, the HITSP Security, Privacy and Infrastructure Domain Technical Committee will define in more detail what specific data are available from this Component. This will include the definition of a minimum data set which needs to be recognized as the minimum data set for assertions.
This section describes the interfaces that should be integrated in order to meet the interoperability requirements for this Component. An interface represents an entity internal to a software application, which is engaged in one or more specific interactions to support a specific aspect of a real world information interchange (e.g., set of message exchanges). The table below lists the interfaces involved, the relevant definition of their roles, and an indication of their requirements for the Component.
Table 2-8 Interfaces
|
Interface |
Description |
Used in Component/ |
Required = R |
|
Service User |
The entity represents any individual entity (such as a clinician or a EHR/PHR system) that needs to make a service request of a Service Provider. The Entity may also be known as a principal and/or entity, which represents an end user, an application, a machine, or any other type of entity that may act as a requester in a transaction. A principal is typically represented in a transaction with a digital identity and the principal may have multiple valid digital identities to use with different transaction |
IHE-ITI-TF-2 XUA |
R |
|
Identity Provider |
The identity provider receives the credentials and identifier from the Entity (principal). It may perform authentication at that point or may require additional authentication from another source (the Service Provider) |
IHE-ITI-TF-2 XUA |
R |
|
Service Provider |
The service provider represents the system providing a service to all entities that need an assertion or authentication. The service (or assertion) provider is the trusted third party issuer of the trustable identity assertion |
IHE-ITI-TF-2 XUA |
R |
The following sections document the content of the Component and the basic process flows that are supported by the Component. It describes the underlying events that fulfill the Component, the sequence and timing of the events, and the specific interfaces involved. Process flow diagrams are provided to illustrate the process relationships.
Figure 2-1 Entity Identity Assertion Sequence Diagram
This process flow focuses on the provision of a SAML Identity Assertion, which represents a set of claims about an authenticated principal (entity, application, system) that is issued either by an Assertion Provider (represented in the above diagram as the Identity Provider interface) or by a Service Provider (defined in this diagram as the Service Provider Interface).
Within the Entity Identity Assertion process flow, the Service User (defined as an entity or principal) is asserted by an Identity Provider, which provides an assertion as outlined in the Provide Assertion interaction. The Provide Assertion interaction outlines how this Component provides a trustable user assertion from the Identity Provider to the Service User.
The Service User (representative of an entity or principal) then communicates with a Service Provider (defined in this diagram as the Service Provider Interface), conveying their identifier and authenticating assertions (represented in a SAML assertion). This is represented in the Convey Assertion interaction.
A Service User may invoke this Component by making a request to another entity within a HITSP Interoperability Specification, such as a laboratory or public health agency, which represents the trigger for the presentation of credentials for SAML assertion. Receipt of this assertion is the trigger for a possible additional scenario; the processing and verification of the assertion (captured in the Process Assertion and Verify Assertion interactions).
This Component, when completed, will constitute an auditable event. This Component does not specify how to reference the Identity Assertion in an audit message. This Component is designed to be agnostic to the mechanisms that provide the specific auditing event.
For authentications made through user assertion using Web Services, the following data flow applies (from the IHE Cross-Enterprise User Authentication (XUA) Supplement to the IHE-ITI-TF-2):
Figure 2-2 WS-Security Assertion Sequence Diagram
This is added as reference material for those implementations that are specific to Web Services. The same interactions related to assertion in Section 2.2.2.2 (Post-conditions) will apply.
Table 2-9 Regulatory Guidance
|
Standard |
Description |
|
No applicable regulatory guidance |
Table 2-10 Selected Standards
|
Standard |
Description |
|
Integrating the Healthcare Enterprise (IHE) IT Infrastructure Technical Framework (ITI-TF) Volume 2 Supplement 2007 2008 Cross-Enterprise User Assertion (XUA) |
The Cross-Enterprise User Assertion Profile (XUA) provides a means to communicate claims about the user identity of an authenticated principal (user, application, system) in transactions that cross enterprise boundaries. To provide accountability in these cross enterprise transactions there is a need to identify the requesting user in a way that the receiver can make access decisions and proper audit entries. The XUA Profile supports enterprises that have chosen to have their own user directory with their own unique method of authenticating the entities, and others that may have chosen to use a third party to perform the authentication. The latest version of the IHE framework is available at www.ihe.net |
Table 2-11 Informative Reference Standards
|
Standard Name |
Reason for Use |
|
Integrating the Healthcare Enterprise (IHE) IT Infrastructure Technical Framework (ITI-TF) Revision 4.0 |
The IHE IT Infrastructure Technical Framework defines specific implementations of established standards to achieve integration goals that promote appropriate sharing of health information to support optimal patient care. IHE Integration Profiles offer a common language that healthcare professionals and vendors may use in communicating requirements for the integration of products. The current version of the ITI-TF, rev. 4.0 for Final Text, specifies the IHE transactions defined and implemented as of August 22, 2007. The latest version of the IHE Technical Framework is available at www.ihe.net |
|
Organization for the Advancement of Structured Information Standards (OASIS) Security Assertion Markup Language (SAML) Core v2.0 OASIS Standard; ITU-T X.1141 |
SAML, developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application. For more information visit www.oasis-open.org |
|
Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security SOAP Message Security Version 1.0 |
Describes enhancements to SOAP messaging to provide message integrity and confidentiality. The specified mechanisms can be used to accommodate a wide variety of security models and encryption technologies. This specification also provides a general-purpose mechanism for associating security tokens with message content. No specific type of security token is required, the specification is designed to be extensible (i.e., support multiple security token formats. Additionally, this specification describes how to encode binary security tokens, a framework for XML-based tokens, and how to include opaque encrypted keys. It also includes extensibility mechanisms that can be used to further describe the characteristics of the tokens that are included with a message. For more information visit www.oasis-open.org |
|
Organization for the Advancement of Structured Information Standards (OASIS) Simple Object Access Protocol (SOAP) Version 1.1 |
SOAP is a protocol specification for invoking methods on servers, services, components and objects. SOAP codifies the existing practice of using XML and HTTP as a method invocation mechanism. The SOAP specification mandates a small number of HTTP headers that facilitate firewall/proxy filtering plus an XML vocabulary that is used for representing method parameters, return values, and exceptions." {DevelopMentor} SOAP consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined data types, and a convention for representing remote procedure calls and responses. For more information visit www.oasis-open.org |
|
Return to detail page at www.hitsp.org | HITSP/C19 |
| Prev TOC Next |