Integration Profile: Cross Enterprise User Assertion

Id: 50

Keyword: XUA

Name: Cross Enterprise User Assertion

Description: provides user identity in transactions that cross enterprise boundaries, specifically the XDS profile that creates an Affinity Domain. When transactions cross enterprise boundaries the mechanisms found in the EUA and PWP profile are insufficient and often nonfunctional. Enterprises may choose to have their own user directory and their own unique method of authenticating. To provide accountability in these cross enterprise transactions there is a need to identify the requesting user in a way that the receiver can make access decisions and proper audit entries.

Status: Final Text

Document Section:

IHE ITI TF Vol1 #13 Cross Enterprise User Assert

Id	Keyword	Name	Description
87	X-SERV-USR	X-Service User	X-Service User
88	X-SERV-PROV	X-Service Provider	X-Service Provider

Id	Actor	Transaction	Optionality
692	X-SERV-USR - X-Service User	ITI-40 - Provide X-User Assertion	Required
693	X-SERV-PROV - X-Service Provider	ITI-40 - Provide X-User Assertion	Required

Id	Actor	Integration Profile Option	Assertions
853	X-SERV-USR - X-Service User	NONE - None	21
854	X-SERV-PROV - X-Service Provider	NONE - None	20
1547	X-SERV-PROV - X-Service Provider	SUBJECT_ROLE - Subject-Role	4
1548	X-SERV-USR - X-Service User	SUBJECT_ROLE - Subject-Role	4
1549	X-SERV-PROV - X-Service Provider	PURPOSE_OF_USE - PurposeOfUse	4
1550	X-SERV-USR - X-Service User	PURPOSE_OF_USE - PurposeOfUse	6
1551	X-SERV-PROV - X-Service Provider	AUTHZ_CONSENT - Authz-Consent	5
1552	X-SERV-USR - X-Service User	AUTHZ_CONSENT - Authz-Consent	5

Assertion Id	Description
CH-XUA-002	[SAML Assertion] There MUST be one <Attribute> element with the name attribute "urn:oasis:names:tc:xspa:1.0:subject:subject-id". The <AttributeValue> child element MUST convey the subjects real world name as plain text as defined by IHE XUA in all extensions (see Section 1.6.4.3.4.2 Message Semantics)
CH-XUA-003	[SAML Assertion] There MUST be one <Attribute> element with the name attribute "urn:oasis:names:tc:xspa:1.0:subject:organization-id". The <AttributeValue> child element MUST convey the ID of the subjects organization or group registered in the HPD or empty, if not known (see Section 1.6.4.3.4.2 Message Semantics)
CH-XUA-004	[SAML Assertion] There MUST be one <Attribute> element with the name attribute: "urn:oasis:names:tc:xspa:1.0:subject:organization". The <AttributeValue> child element MUST convey a plain text the subjects organization name as registered in the HPD or empty, if not known (see Section 1.6.4.3.4.2 Message Semantics)
CH-XUA-005	[SAML Assertion] There MUST be one <Attribute> element with the name attribute "urn:oasis:names:tc:xacml:2.0:subject:role". The <AttributeValue> child element MUST convey a coded value of the subjects role (see Section 1.6.4.3.4.2 Message Semantics)
CH-XUA-006	[SAML Assertion] There MUST be one <Attribute> element with the name attribute:"urn:oasis:names:tc:xacml:2.0:resource:resource-id". The <AttributeValue> MUST convey the EPR-SPID identifier of the patients record and the patient assigning authority formatted in CXsyntax as specified in the XUA profile (see Section 1.6.4.3.4.2 Message Semantics)
CH-XUA-007	[SAML Assertion] There MUST be one <Attribute> element with the name attribute: "urn:oasis:names:tc:xspa:1.0:subject:purposeofuse". The <AttributeValue> child element MUST convey a coded value of the current transactions purpose of use (see Section 1.6.4.3.4.2 Message Semantics)
CH-XUA-008	The Get X-User Assertion response message extends the <wst:RequestSecurityTokenResponse> message defined in WS-Trust 1.3 (see Section 1.6.4.2.4.2 Message Semantics)
CH-XUA-012	See ITI TF-2b, chapter 3.40 Provide X-User Assertion [ITI-40]. The SAML User Assertion MUST be taken from the Get X-User Assertion transaction (see Section 1.6.4.2.1 Scope)
CH-XUA-013	The User Authentication Provider authenticates the user and returns a SAML 2 Authentication Assertion (see Section 1.6.4.1.1 Scope)
CH-XUA-018	X-Assertion Provider verifies authorization information, creates a SAML Authorization Assertion and sends it to the X-Service User (see Section 1.6.4.2.2 Use Case Roles)
CH-XUA-020	X-Service User actor MUST implement the SAML User Authentication Request of the «Authenticate User» transaction (see Section 1.6.4.1.1 Scope)
CH-XUA-021	X-Service User actor MUST implement the SAML User Assertion Request (see Section 1.6.4.2.2 Use Case Roles)
CH-XUA-024	The X-Assertion Provider actor MUST authenticate the technical user by validating the signature of the Assertion with the certificate registered with the technical user (see Section 1.6.4.2.4.4.3 Technical User Extension)
CH-XUA-026	X-Service User actor MUST be able to send SAML attribute queries to the Identity Provider to query specific attributes according to the Identity Provider (see Section 1.6.4.2.2 Use Case Roles)
CH-XUA-029	X-Service Provider actor MUST be grouped with the actor «Authorization Decision Provider» as defined in the CH:ADR integration profile (see Table 4: Required groupings of actors defined in this national extension)
CH-XUA-030	X-Service Provider actors MUST implement the Provide X-User Assertion [ITI-40] specified by the IHE XUA integration profile (see Section 1.6.2 Actors / Transactions)
CH-XUA-032	[SAML Assertion - HCP - ASS - TCU] The organization attribute ("urn:oasis:names:tc:xspa:1.0:subject:organization") of the <AttributeStatement> MUST convey the name of the organizations or groups the subject is a member of (see Section 1.6.4.3.4.2.1 Heathcare Professional Extension)
CH-XUA-033	[SAML Assertion - HCP - ASS - TCU] The organization ID attribute ("urn:oasis:names:tc:xspa:1.0:subject:organization-id") MUST convey the identifiers of the organizations or groups the subject is assigned to. The identifiers MUST be OID in the format of URN as registered in the healthcare provider directory (see Section 1.6.4.3.4.2.1 Heathcare Professional Extension)
CH-XUA-034	The <SubjectConfirmation> element MUST contain a <NameID> child element. The <NameID> element must convey the GLN of the subject with name qualifier name qualifier attribute set to urn:gs1:gln (Assistant Extension) or the unique ID the technical user is registered within the community and NameQualifier "urn:e-health-suisse:technical-user-id" (see Section 1.6.4.3.4.2.3 Technical User Extension)
CH-XUA-035	[SAML Assertion - ASS] The <Conditions> element MUST contain a <AudienceRestriction> element coveying a single <Audience> child element with the value set to "urn:e-health-suisse:token-audience:all-communities" (see Section 1.6.4.3.4.2.3 Technical User Extension)

Id	Keyword	Name	Description
2	ITI	IT-Infrastructure	The IT Infrastructure Domain supplies infrastructure for sharing healthcare information. An infrastructure interoperability component represents a common IT function that is used as a building block for a variety of use cases... a necessary ingredient, but rarely visible to the end user!! These components may be embedded in an application, but are often deployed as a shared resource within a RHIO or Health Information Exchange.

Assertion Id	Description

Conformance checker
EVS Client

Peer-to-peer testing
Gazelle Proxy

Integration Profile: Cross Enterprise User Assertion

Integration Profile Information

Domains

Tool index

Conformance checker

Simulators

Peer-to-peer testing


	EPR Projectathon 2022 - Montreux (Projectathon Europe 2022)Closed	EPR Projectathon 2022 - Montreux IHE EPR Projectathon 2022 - Montreux (Projectathon Europe 2022) The registration deadline is 7/1/22 6:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/12/22 12:00:00 PM to 9/16/22 12:00:00 PM
	EPR Projectathon 2023 - Bern (Projectathon Europe 2023)Closed	EPR Projectathon 2023 - Bern IHE EPR Projectathon 2023 - Bern (Projectathon Europe 2023) The registration deadline is 7/18/23 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/11/23 8:00:00 AM to 9/15/23 12:00:00 PM
	EPR Projectathon 2024 - Bern (Projectathon Europe 2024)Ongoing registrationDefault Session	EPR Projectathon 2024 - Bern IHE EPR Projectathon 2024 - Bern (Projectathon Europe 2024) The registration deadline is 7/31/24 1:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/16/24 1:00:00 PM to 9/20/24 1:00:00 PM
	EPR Projectathon 2020 - Bern (Projectathon Europe 2020)Closed	EPR Projectathon 2020 - Bern IHE EPR Projectathon 2020 - Bern (Projectathon Europe 2020) The registration deadline is 7/17/20 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/21/20 12:00:00 AM to 9/25/20 12:00:00 PM
	eMedication Projectathon 2021 - Online (Projectathon Europe 2021)Closed	eMedication Projectathon 2021 - Online IHE eMedication Projectathon 2021 - Online (Projectathon Europe 2021) The registration deadline is 2/11/21 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 3/10/21 12:00:00 PM to 3/12/21 12:00:00 PM
	EPR Projectathon 2021 - Bern (Projectathon Europe 2021)Closed	EPR Projectathon 2021 - Bern IHE EPR Projectathon 2021 - Bern (Projectathon Europe 2021) The registration deadline is 8/31/21 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/20/21 12:00:00 PM to 9/24/21 12:00:00 PM
	EPR Projectathon 2019 - Bern (Projectathon Europe 2019)Closed	EPR Projectathon 2019 - Bern IHE EPR Projectathon 2019 - Bern (Projectathon Europe 2019) The registration deadline is 8/23/19 11:59:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/23/19 9:00:00 AM to 9/27/19 12:00:00 PM
	EPR Projectathon 2019 - Rennes (Projectathon Europe 2019)Closed	EPR Projectathon 2019 - Rennes IHE EPR Projectathon 2019 - Rennes (Projectathon Europe 2019) The registration deadline is 2/28/19 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 4/8/19 12:00:00 PM to 4/12/19 12:00:00 PM
	EPR Projectathon 2019 - Wave 2 Online testing (Projectathon Europe 2019)Closed	EPR Projectathon 2019 - Wave 2 Online testing IHE EPR Projectathon 2019 - Wave 2 Online testing (Projectathon Europe 2019) The registration deadline is 1/26/19 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 2/4/19 12:00:00 PM to 2/22/19 12:00:00 PM
	EPR Projectathon 2019 - Open Online Testing (Projectathon Europe 2019)Closed	EPR Projectathon 2019 - Open Online Testing IHE EPR Projectathon 2019 - Open Online Testing (Projectathon Europe 2019) The registration deadline is 4/5/19 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 1/7/19 12:00:00 PM to 4/5/19 12:00:00 PM
	EPR Projectathon 2018 - Bern (Projectathon Europe 2018)Closed	EPR Projectathon 2018 - Bern IHE EPR Projectathon 2018 - Bern (Projectathon Europe 2018) The registration deadline is 7/31/18 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/17/18 9:00:00 AM to 9/21/18 12:00:00 PM
	EPR Projectathon 2018 - Den Haag (Projectathon Europe 2018)Closed	EPR Projectathon 2018 - Den Haag IHE EPR Projectathon 2018 - Den Haag (Projectathon Europe 2018) The registration deadline is 2/9/18 11:59:00 PM . You will not be able to add or alter systems after that date. This event will held from 4/16/18 8:00:00 AM to 1/19/18 11:59:00 AM
	EPR Projectathon 2017 (Projectathon Europe 2017)Closed	EPR Projectathon 2017 IHE EPR Projectathon 2017 (Projectathon Europe 2017) The registration deadline is 6/30/17 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/25/17 8:00:00 AM to 9/28/17 6:00:00 PM
	Demo testing (Demo Europe 2017)	Demo testing IHE Demo testing (Demo Europe 2017) The registration deadline is 1/19/24 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 3/25/24 12:00:00 PM to 1/29/24 11:40:00 AM
	Test Session Template DO NOT EDIT (Template Europe 2019)Closed	Test Session Template DO NOT EDIT IHE Test Session Template DO NOT EDIT (Template Europe 2019) The registration deadline is 9/11/19 12:00:00 PM . You will not be able to add or alter systems after that date. This event will held from 9/3/19 12:00:00 PM to 9/4/19 12:00:00 PM