External Validation Service Front-end

Information

File Name: requestsecuritytoken.xml
OID :: 1.3.6.1.4.1.12559.11.25.1.1358845
Schematron :: CH:XUA_Get_X-User_Assertion_Request (Version N/A)
Schematron Validation Result :: FAILED
Validation Date :: 1/23/23 3:38:47 PM (CET GMT+0100)
Model Based Validator :: N/A (Tool Version N/A)
Model Based Validation Result :: N/A
Permanent link :: https://ehealthsuisse.ihe-europe.net/EVSClient/detailedResult.seam?type=XML&oid=1.3.6.1.4.1.12559.11.25.1.1358845
Data Visibility :: Public

Validation Results

Schematron validation

$type Validation Report

Well-formednessPASSED

The document you have validated is supposed to be a well-formed document. The validator has checked if it is well-formed, results of this validation are gathered in this section.

The document is well-formed

Schema Validation detailed ResultFAILED

Your document has been validated with the appropriate schema, here is the detail of the validation outcome.

The document is not valid regarding the schema because of the following reasons:

Summary of reports: 2

Description: Line:Col[1:7571]:cvc-elt.4.2: Cannot resolve 'CE' to a type definition for element 'PurposeOfUse'.

Description: Line:Col[1:8293]:cvc-elt.4.2: Cannot resolve 'CE' to a type definition for element 'Role'.

Schematron validator resultsFAILED

Summary of checks: 1

1

9

Errors

Test: wst:Claims/@Dialect='http://www.bag.admin.ch/epr/2017/annex/5/amendment/2'E - 1
Location: /Envelope/Body/wst:RequestSecurityToken
Description: Error : The claim dialect must be http://www.bag.admin.ch/epr/2017/annex/5/amendment/2.

Warnings

Test: not(//S12:Header/wsse:Security/saml2:Assertion)W - 1
Location: /Envelope/Body/wst:RequestSecurityToken/wst:Claims
Description: Warning : The presence of the SAML Identity Assertion in the header has been verified but not its content.

Reports

Test: S12:EnvelopeR - 1
Location: /Envelope
Description: Success : The Get X-User Assertion Request/Response SHOULD be bind to SOAP 1.2 (IHE ITI-TF-vol2x Appendix V).

Test: S12:Body/wst:RequestSecurityTokenR - 2
Location: /Envelope
Description: Success : The Get X-User Assertion Request MUST use the RequestSecurityToken WS-Trust 1.3 (SR 816.111_Ergaenzung 1 Anhang 5 - §Referenced Standard).

Test: wst:ClaimsR - 3
Location: /Envelope/Body/wst:RequestSecurityToken
Description: Success : The Get X-User Assertion Request MUST contain a list of claims.

Test: wst:Claims/saml2:Attribute[@Name='urn:oasis:names:tc:xacml:2.0:subject:role']/saml2:AttributeValueR - 4
Location: /Envelope/Body/wst:RequestSecurityToken
Description: Success : The Get X-User Assertion Request MUST contain the SAML Attribute defining the role of the accessing person in the claims.

Test: wst:Claims/saml2:Attribute[@Name='urn:oasis:names:tc:xacml:2.0:resource:resource-id']/saml2:AttributeValueR - 5
Location: /Envelope/Body/wst:RequestSecurityToken
Description: Success : The Get X-User Assertion Request MUST contain the SAML Attribute defining the requested resource id in the claims.

Test: wst:Claims/saml2:Attribute[@Name='urn:oasis:names:tc:xspa:1.0:subject:purposeofuse']/saml2:AttributeValueR - 6
Location: /Envelope/Body/wst:RequestSecurityToken
Description: Success : The Get X-User Assertion Request MUST contain the SAML Attribute defining the purpose of use in the claims.

Test: //S12:Header/wsse:Security/saml2:AssertionR - 7
Location: /Envelope/Body/wst:RequestSecurityToken/wst:Claims
Description: Success : The Get X-User Assertion Request for a patient MUST contain the original SAML Identity Assertion in the Web Service Security header.

Test: saml2:Attribute[@Name='urn:oasis:names:tc:xspa:1.0:subject:purposeofuse']/saml2:AttributeValue/hl7:PurposeOfUse[@code='NORM' and @codeSystem='2.16.756.5.30.1.127.3.10.5']R - 8
Location: /Envelope/Body/wst:RequestSecurityToken/wst:Claims
Description: Success : The Get X-User Assertion Request for a patient MUST contain the purpose of use claim attribute with the code NORM from the code system 2.16.756.5.30.1.127.3.10.5 of the CH:EPR value set.

Test: not(//saml2:Attribute[@Name='urn:e-health-suisse:principal-id']/saml2:AttributeValue) or substring(normalize-space(saml2:Attribute[@Name='urn:e-health-suisse:principal-id']/saml2:AttributeValue/text()), 0, 9) = '76133761'R - 9
Location: /Envelope/Body/wst:RequestSecurityToken/wst:Claims
Description: Success : There MAY be one Attribute element with name "urn:e-health-suisse:principal-id". If present, the AttributeValue child element MUST convey the EPR-SPID of the patient.

File Content

Raw XML Content

View lines numbers

Indent file

<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope"><Header><Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action><MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:5efea44d-31fd-4024-80dc-b75d0f7136e9</MessageID><Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_040581aa-ddac-4a76-8ffc-9bb4bc026939" IssueInstant="2023-01-23T14:33:06.145Z" Version="2.0"><saml:Issuer>https://timtest.geneveid.ch/auth/realms/dep-geneve-test</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-8b9a6d1c-2bbc-49e2-918f-7aa1867ed1d6</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_c44e28441192dc4e69af39187b97fb1c" NotOnOrAfter="2023-01-23T14:34:04.145Z" Recipient="http://localhost:8082/idp/callback/geneveid"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2023-01-23T14:33:04.145Z" NotOnOrAfter="2023-01-23T14:38:04.145Z"><saml:AudienceRestriction><saml:Audience>http://localhost:8082/idp/login/geneveid</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2023-01-23T14:33:06.145Z" SessionIndex="d671cdf8-6923-4830-8521-4de68d442347::55523528-632c-4c25-bbf0-60ea5829ddee" SessionNotOnOrAfter="2023-01-24T00:33:06.145Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName="identno" Name="identno" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">001.241.325-8</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="dateofbirth" Name="dateofbirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">07.05.1989</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="gender" Name="gender" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">M</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="firstName" Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Rafael</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="lastName" Name="familyname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Jimenez</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-clients</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-realm</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">query-clients</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">default-roles-dep-geneve-test</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">query-groups</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">query-users</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-users</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-users</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></Security></Header><Body><wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:Claims Dialect="http://bag.admin.ch/epr/2017/annex/5/addendum/2"><saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"><saml2:AttributeValue><PurposeOfUse xmlns="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="NORM" codeSystem="2.16.756.5.30.1.127.3.10.5" codeSystemName="EprPurposeOfUse" displayName="Normal Access" xsi:type="CE"/></saml2:AttributeValue></saml2:Attribute><saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">761337611908634252^^^&2.16.756.5.30.1.127.3.10.3&ISO</saml2:AttributeValue></saml2:Attribute><saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:oasis:names:tc:xacml:2.0:subject:role"><saml2:AttributeValue><Role xmlns="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="PAT" codeSystem="2.16.756.5.30.1.127.3.10.6" displayName="Patient" xsi:type="CE"/></saml2:AttributeValue></saml2:Attribute></wst:Claims><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://localhost:17001/services/iti18</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType></wst:RequestSecurityToken></Body></Envelope>