SAML- security token
each value in SAML has certain source. This document focus is trying to identify source of these elements i SAML-token, provided by HelseID SAML service in Norsk helsenett
There are following sources to information, published in SAML
- "saml_claim", provided in request to SAML-endpoint provided by requestor who transforms JWT to SAML
- "claim", provided in JWT security token by HelseID service which provided by service consumer and token is forwarded unchanged as header to SAML-endpoint
- "claim_assertion" in JWT security token, provided by service consumer to HelseID end user known as "helsepersonellets attest"
There are 3 versions mentioned:
1.0 - Version "1.0" of SAML-specification, used in norwegian document exchange, defined by Direktoratet for e-helse (deprecated)
2.0 - Version "2.0" of SAML-specification, reflecting neccessary changes to SAML-security token while incorporating "helsepersonellets attest" (resource attest statement)
2.1 - Version "2.1" of SAML-specification, minor adjustment of version "2.0"
There might be several sources for information provided in SAML-security token
| source | claim/attribute (OAuth token) | claim/attribute (SAML Token) | Version | CodeSystem | Description |
|---|---|---|---|---|---|
| SUBJECT | Practitioner | ||||
| claim_assertion | helseid://claims/identity/pid | urn:oasis:names:tc:xspa:1.0:subject:subject-id | 1.0 | HL7 v2.5 ST | Requestor's full name |
| claim_assertion | helseid://claims/identity/pid | urn:oasis:names:tc:xacml:1.0:subject:subject-id | 2.0 | HL7 v2.5 ST | Requestor's full name |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:hpr_nr | urn:oasis:names:tc:xspa:2.0:subject:npi | 1.0 | HL7 v2.5 ST | Requestor's national proffesion identifier |
| claim_assertion | helseid://claims/hpr/hpr_number | urn:oasis:names:tc:xspa:1.0:subject:npi | 2.0 | HL7 v2.5 ST | Requestor's national proffesion identifier |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:authorization | urn:ihe:iti:xua:2017:subject:provider-identifier | 1.0 2.0 | HL7 v3 II | Requestor's national proffesion identifier (HL7v3) |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:authorization | urn:oasis:names:tc:xspa:1.0:subject:role | 1.0 | HL7 v3 CE | Type of practitioner's role |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:authorization | urn:oasis:names:tc:xacml:2.0:subject:role | 2.0 | HL7 v3 CE | Type of practitioner's role |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:legal_entity | urn:oasis:names:tc:xspa:1.0:subject:organization-id | 1.0 2.0 | HL7 v3 II | Requestor's organization identifier |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:legal_entity.name | urn:oasis:names:tc:xspa:1.0:subject:organization | 1.0 2.0 | HL7 v2.5 ST | Requestor's organization name |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:point_of_care | urn:oasis:names:tc:xspa:1.0:subject:child-organization | 2.0 | HL7 v2.5 II | Requestor's child-organization id |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:point_of_care | urn:nhn:trust-framework:1.0:ext:subject:child-organization-name | 2.0 | HL7 v2.5 ST | Requestor's child-organization name |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:department | urn:oasis:names:tc:xspa:1.0:subject:facility | 2.0 | HL7 v2.5 II | Requestor's department id |
| claim_assertion | nhn:tillitsrammeverk:parameters - practitioner:department | urn:nhn:trust-framework:1.0:ext:subject:facility-name | 2.0 | HL7 v2.5 II | Requestor's department name |
| claim | - | urn:no:ehelse:saml:1.0:subject:Scope | 1.0 | HL7 v2.5 ST | Defined scope |
| new saml_claim | xua-scope | urn:nhn:saml:2.0:ext:scope | 2.1 | HL7 v2.5 ST | Defined scope |
| claim | amr | urn:no:ehelse:saml:1.0:subject:Authentication_method | 1.0 | HL7 v2.5 ST | Authentication method |
| claim | client_id | urn:no:ehelse:saml:1.0:subject:client_id | 1.0 | HL7 v2.5 ST | Requestor's unique identifier of client system |
| claim | helseid://claims/identity/security_level | urn:no:ehelse:saml:1.0:subject:SecurityLevel | 1.0 | HL7 v2.5 ST | Authenticated security level |
| saml_claim | homeCommunityId | urn:no:ehelse:saml:1.0:subject:homeCommunityId | 1.0 | HL7 v2.5 ST | HomeCommunity ID (IHE) |
| saml_claim | homeCommunityId | urn:ihe:iti:xca:2010:homeCommunityId | 2.0 | HL7 v2.5 ST | HomeCommunity ID (IHE) |
| RESOURCE | Patient | ||||
| saml_claim | - | urn:oasis:names:tc:xacml:2.0:resource:resource-id | 1.0 | HL7 v2.5 CX | Identifier of requested resource |
| saml_claim | resource:resource-id | urn:oasis:names:tc:xacml:1.0:resource:resource-id | 2.0 | HL7 v2.5 CX | Identifier of requested resource |
| claim_assertion | nhn:tillitsrammeverk:parameters - patient:point_of_care | urn:nhn:trust-framework:1.0:ext:resource:child-organization | 2.0 | HL7 v3 II | Health provider organization details where resource can be found (HL7v3) |
| claim_assertion | nhn:tillitsrammeverk:parameters - patient:point_of_care | urn:nhn:trust-framework:1.0:ext:resource:child-organization-name | 2.0 | HL7 v2.5 ST | Health provider organization name where resource can be found |
| claim_assertion | nhn:tillitsrammeverk:parameters - patient:department | urn:nhn:trust-framework:1.0:ext:resource:facility | 2.0 | HL7 v3 II | Department's identifier in an health provider organization name where resource can be found |
| claim_assertion | nhn:tillitsrammeverk:parameters - patient:department | urn:nhn:trust-framework:1.0:ext:resource:facility-name | 2.0 | HL7 v2.5 ST | Department's name in an health provider organization name where resource can be found |
| saml_claim | xua-acp | urn:ihe:iti:xua:2012:acp | 2.0 | HL7 v2.5 ST | Privacy consent type |
| saml_claim | bppc-docid | urn:ihe:iti:bppc:2007:docid | 2.0 | HL7 v2.5 ST | Privacy consent reference |
| Care-relationship | |||||
| claim_assertion | nhn:tillitsrammeverk:parameters - care_relationship:purpose_of_use:healthcare_service | urn:nhn:trust-framework:1.0:ext:care-relationship:healthcare-service | 2.0 | Requestor's specification of treatment | |
| claim_assertion | purpose_of_use | urn:oasis:names:tc:xspa:1.0:subject:purposeOfUse | 1.0 | HL7 v3 CE | Purpose of use |
| claim_assertion | nhn:tillitsrammeverk:parameters - care_relationship:purpose_of_use | urn:oasis:names:tc:xacml:2.0:action:purpose | 2.0 | HL7 v3 CE | Purpose of use |
| claim_assertion | nhn:tillitsrammeverk:parameters - care_relationship:purpose_of_use_details | urn:nhn:trust-framework:1.0:ext:care-relationship:purpose-of-use-details | 2.0 | HL7 v3 CE | Requestor's specification for background of treatment |
| claim_assertion | nhn:tillitsrammeverk:parameters - care_relationship:decision_ref | urn:nhn:trust-framework:1.0:ext:care-relationship:decision-ref | 2.0 | HL7 v2.5 ST | Requestor's identifier for background decision |