| CH-XUA | CH-XUA-002 | | Testable |
7
|
1
| | [SAML Assertion] There MUST be one <Attribute> element with the name attribute "urn:oasis:names:tc:xspa:1.0:subject:subject-id". The <AttributeValue> child element MUST convey the subjects real world name as plain text as defined by IHE XUA in all extensions (see Section 1.6.4.3.4.2 Message Semantics) | 23 | Section 1.6.4.3.4.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-003 | to be reviewed | Testable |
7
|
1
| | [SAML Assertion] There MUST be one <Attribute> element with the name attribute "urn:oasis:names:tc:xspa:1.0:subject:organization-id". The <AttributeValue> child element MUST convey the ID of the subjects organization or group registered in the HPD or empty, if not known (see Section 1.6.4.3.4.2 Message Semantics) | 24 | Section 1.6.4.3.4.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-004 | to be reviewed | Testable |
7
|
1
| | [SAML Assertion] There MUST be one <Attribute> element with the name attribute: "urn:oasis:names:tc:xspa:1.0:subject:organization". The <AttributeValue> child element MUST convey a plain text the subjects organization name as registered in the HPD or empty, if not known (see Section 1.6.4.3.4.2 Message Semantics) | 24 | Section 1.6.4.3.4.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-005 | | Testable |
7
|
1
| | [SAML Assertion] There MUST be one <Attribute> element with the name attribute "urn:oasis:names:tc:xacml:2.0:subject:role". The <AttributeValue> child element MUST convey a coded value of the subjects role (see Section 1.6.4.3.4.2 Message Semantics) | 23 | Section 1.6.4.3.4.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-006 | | Testable |
7
|
1
| | [SAML Assertion] There MUST be one <Attribute> element with the name attribute:"urn:oasis:names:tc:xacml:2.0:resource:resource-id". The <AttributeValue> MUST convey the EPR-SPID identifier of the patients record and the patient assigning authority formatted in CXsyntax as specified in the XUA profile (see Section 1.6.4.3.4.2 Message Semantics) | 23 | Section 1.6.4.3.4.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-007 | | Testable |
7
|
1
| | [SAML Assertion] There MUST be one <Attribute> element with the name attribute: "urn:oasis:names:tc:xspa:1.0:subject:purposeofuse". The <AttributeValue> child element MUST convey a coded value of the current transactions purpose of use (see Section 1.6.4.3.4.2 Message Semantics) | 23 | Section 1.6.4.3.4.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-008 | | Testable |
7
|
1
| | The Get X-User Assertion response message extends the <wst:RequestSecurityTokenResponse> message defined in WS-Trust 1.3 (see Section 1.6.4.2.4.2 Message Semantics) | 17 | Section 1.6.4.2.4.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-012 | | Testable |
1
|
2
| | See ITI TF-2b, chapter 3.40 Provide X-User Assertion [ITI-40]. The SAML User Assertion MUST be taken from the Get X-User Assertion transaction (see Section 1.6.4.2.1 Scope) | 15 | Section 1.6.4.2.1 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-013 | | Testable |
0
|
3
| Agreed to do not cover this assertion | The User Authentication Provider authenticates the user and returns a SAML 2 Authentication Assertion (see Section 1.6.4.1.1 Scope) | 14 | Section 1.6.4.1.1 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-018 | | Testable |
8
|
3
| | X-Assertion Provider verifies authorization information, creates a SAML Authorization Assertion and sends it to the X-Service User (see Section 1.6.4.2.2 Use Case Roles) | 15 | Section 1.6.4.2.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-020 | | Testable |
1
|
3
| | X-Service User actor MUST implement the SAML User Authentication Request of the «Authenticate User» transaction (see Section 1.6.4.1.1 Scope) | 14 | Section 1.6.4.1.1 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-021 | | Testable |
7
|
3
| | X-Service User actor MUST implement the SAML User Assertion Request (see Section 1.6.4.2.2 Use Case Roles) | 15 | Section 1.6.4.2.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-024 | | Testable |
1
|
1
| | The X-Assertion Provider actor MUST authenticate the technical user by validating the signature of the Assertion with the certificate registered with the technical user (see Section 1.6.4.2.4.4.3 Technical User Extension) | 21 | Section 1.6.4.2.4.4.3 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-026 | | Testable |
0
|
1
| Agreed to do not cover this assertion | X-Service User actor MUST be able to send SAML attribute queries to the Identity Provider to query specific attributes according to the Identity Provider (see Section 1.6.4.2.2 Use Case Roles) | 15 | Section 1.6.4.2.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-029 | | Testable |
7
|
4
| | X-Service Provider actor MUST be grouped with the actor «Authorization Decision Provider» as defined in the CH:ADR integration profile (see Table 4: Required groupings of actors defined in this national extension) | 13 | Section 1.6.3 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-030 | | Testable |
0
|
1
| | X-Service Provider actors MUST implement the Provide X-User Assertion [ITI-40] specified by the IHE XUA integration profile (see Section 1.6.2 Actors / Transactions) | 11 | Section 1.6.2 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-031 | | Testable |
0
|
0
| | [SAML Assertion - HCP - ASS - TCU] The <NameID> child element of the <Subject> MUST contain the GLN of the subject with name qualifier attribute set to urn:gs1:gln. | 24 | Section 1.6.4.3.4.2.1 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-032 | | Testable |
3
|
1
| | [SAML Assertion - HCP - ASS - TCU] The organization attribute ("urn:oasis:names:tc:xspa:1.0:subject:organization") of the <AttributeStatement> MUST convey the name of the organizations or groups the subject is a member of (see Section 1.6.4.3.4.2.1 Heathcare Professional Extension) | 24 | Section 1.6.4.3.4.2.1 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-033 | | Testable |
3
|
1
| | [SAML Assertion - HCP - ASS - TCU] The organization ID attribute ("urn:oasis:names:tc:xspa:1.0:subject:organization-id") MUST convey the identifiers of the organizations or groups the subject is assigned to. The identifiers MUST be OID in the format of URN as registered in the healthcare provider directory (see Section 1.6.4.3.4.2.1 Heathcare Professional Extension) | 24 | Section 1.6.4.3.4.2.1 | 1/22/24 2:03:10 PM by vhofman |
|
| CH-XUA | CH-XUA-034 | | Testable |
0
|
1
| | The <SubjectConfirmation> element MUST contain a <NameID> child element. The <NameID> element must convey the GLN of the subject with name qualifier name qualifier attribute set to urn:gs1:gln (Assistant Extension) or the unique ID the technical user is registered within the community and NameQualifier "urn:e-health-suisse:technical-user-id" (see Section 1.6.4.3.4.2.3 Technical User Extension) | 25 | Section 1.6.4.3.4.2.2 | 1/22/24 2:03:10 PM by vhofman |
|