SAML- security token
each value in SAML has certain source. This document focus is trying to identify source of these elements i SAML-token, provided by HelseID SAML service in Norsk helsenett
There are following sources to information, published in SAML
- "saml_claim", provided in request to SAML-endpoint provided by requestor who transforms JWT to SAML
- "claim", provided in JWT security token by HelseID service which provided by service consumer and token is forwarded unchanged as header to SAML-endpoint
- "claim_assertion" in JWT security token, provided by service consumer to HelseID end user known as "helsepersonellets attest"
There are 3 versions mentioned:
1.0 - Version "1.0" of SAML-specification, used in norwegian document exchange, defined by Direktoratet for e-helse (deprecated)
2.0 - Version "2.0" of SAML-specification, reflecting neccessary changes to SAML-security token while incorporating "helsepersonellets attest" (resource attest statement)
2.1 - Version "2.1" of SAML-specification, minor adjustment of version "2.0"
There might be several sources for information provided in SAML-security token
SUBJECT (Practitioner)
| source |
claim/attribute (OAuth token) |
claim/attribute (SAML Token) |
Version |
CodeSystem |
Description |
| claim_assertion |
helseid://claims/identity/pid |
urn:oasis:names:tc:xspa:1.0:subject:subject-id |
1.0 |
HL7 v2.5 ST |
Requestor's full name |
| claim_assertion |
helseid://claims/identity/pid |
urn:oasis:names:tc:xacml:1.0:subject:subject-id |
2.0 |
HL7 v2.5 ST |
Requestor's full name |
<saml:Attribute Name="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<saml:AttributeValue>_helseid://claims/identity/pid_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:hpr_nr.id |
urn:oasis:names:tc:xspa:2.0:subject:npi |
1.0 |
HL7 v2.5 ST |
Requestor's national proffesion identifier |
| claim_assertion |
helseid://claims/hpr/hpr_number |
urn:oasis:names:tc:xspa:1.0:subject:npi |
2.0 |
HL7 v2.5 ST |
Requestor's national proffesion identifier |
<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:npi">
<saml:AttributeValue>_helseid://claims/hpr/hpr_number_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:hpr_nr:id |
urn:ihe:iti:xua:2017:subject:provider-identifier - extension |
1.0 2.0 |
HL7 v3 II |
Requestor's national proffesion identifier (HL7v3) |
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:hpr_nr:system |
urn:ihe:iti:xua:2017:subject:provider-identifier - root |
1.0 2.0 |
HL7 v3 II |
Requestor's national proffesion identifier (HL7v3) |
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:hpr_nr:authority |
urn:ihe:iti:xua:2017:subject:provider-identifier - assigningAuthorityName |
1.0 2.0 |
HL7 v3 II |
Requestor's national proffesion identifier (HL7v3) |
<saml:Attribute Name="urn:ihe:iti:xua:2017:subject:provider-identifier">
<saml:AttributeValue>
<id xmlns="urn:hl7-org:v3" xsi:type="II"
extension="_nhn:tillitsrammeverk:parameters - practitioner:hpr_nr:id_"
root="_nhn:tillitsrammeverk:parameters - practitioner:hpr_nr:system_"
assigningAuthorityName="_nhn:tillitsrammeverk:parameters - practitioner:hpr_nr:authority_"
displayable="true"/>
</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:authorization:code |
urn:oasis:names:tc:xacml:2.0:subject:role - code |
2.0 |
HL7 v3 CE |
Type of practitioner's role |
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:authorization:text |
urn:oasis:names:tc:xacml:2.0:subject:role - displayName |
2.0 |
HL7 v3 CE |
Type of practitioner's role |
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:authorization:system |
urn:oasis:names:tc:xacml:2.0:subject:role - codeSystem |
2.0 |
HL7 v3 CE |
Type of practitioner's role |
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:authorization:assigner |
urn:oasis:names:tc:xacml:2.0:subject:role - codeSystemName |
2.0 |
HL7 v3 CE |
Type of practitioner's role |
<saml:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
<saml:AttributeValue>
<Role xmlns="urn:hl7-org:v3" xsi:type="CE"
code="_nhn:tillitsrammeverk:parameters - practitioner:authorization:code_"
codeSystem="_nhn:tillitsrammeverk:parameters - practitioner:authorization:system_"
codeSystemName="_nhn:tillitsrammeverk:parameters - practitioner:authorization:assigner_"
displayName="_nhn:tillitsrammeverk:parameters - practitioner:authorization:text_"/>
</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:legal_entity |
urn:oasis:names:tc:xspa:1.0:subject:organization-id |
1.0 2.0 |
HL7 v3 ST |
Requestor's organization identifier |
<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
<saml:AttributeValue>_tillitsrammeverk:parameters - practitioner:legal_entity:id_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:legal_entity.name |
urn:oasis:names:tc:xspa:1.0:subject:organization |
1.0 2.0 |
HL7 v2.5 ST |
Requestor's organization name |
<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
<saml:AttributeValue>_nhn:tillitsrammeverk:parameters - practitioner:legal_entity.name_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:point_of_care:id |
urn:oasis:names:tc:xspa:1.0:subject:child-organization |
2.0 |
HL7 v2.5 ST |
Requestor's child-organization id |
<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:child-organization">
<saml:AttributeValue>_nhn:tillitsrammeverk:parameters - practitioner:point_of_care:id_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:point_of_care.name |
urn:nhn:trust-framework:1.0:ext:subject:child-organization-name |
2.0 |
HL7 v2.5 ST |
Requestor's child-organization name |
<saml:Attribute Name="urn:nhn:trust-framework:1.0:ext:subject:child-organization-name">
<saml:AttributeValue>_nhn:tillitsrammeverk:parameters - practitioner:point_of_care.name_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:department:id |
urn:oasis:names:tc:xspa:1.0:subject:facility |
2.0 |
HL7 v2.5 ST |
Requestor's department id |
<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:facility">
<saml:AttributeValue>_nhn:tillitsrammeverk:parameters - practitioner:department:id_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - practitioner:department.name |
urn:nhn:trust-framework:1.0:ext:subject:facility-name |
2.0 |
HL7 v2.5 ST |
Requestor's department name |
<saml:Attribute Name="urn:nhn:trust-framework:1.0:ext:subject:facility-name">
<saml:AttributeValue>_nhn:tillitsrammeverk:parameters - practitioner:department.name_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim |
- |
urn:no:ehelse:saml:1.0:subject:Scope |
1.0 |
HL7 v2.5 ST |
Defined scope |
| new saml_claim |
xua-scope |
urn:nhn:saml:2.0:ext:scope |
2.1 |
HL7 v2.5 ST |
Defined scope |
<saml:Attribute Name="urn:nhn:saml:2.0:ext:scope">
<saml:AttributeValue>_TBD_</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim |
amr |
urn:no:ehelse:saml:1.0:subject:Authentication_method |
1.0 |
HL7 v2.5 ST |
Authentication method |
| claim |
client_id |
urn:no:ehelse:saml:1.0:subject:client_id |
1.0 |
HL7 v2.5 ST |
Requestor's unique identifier of client system |
| claim |
helseid://claims/identity/security_level |
urn:no:ehelse:saml:1.0:subject:SecurityLevel |
1.0 |
HL7 v2.5 ST |
Authenticated security level |
| saml_claim |
homeCommunityId |
urn:no:ehelse:saml:1.0:subject:homeCommunityId |
1.0 |
HL7 v2.5 ST |
HomeCommunity ID (IHE) |
| saml_claim |
homeCommunityId |
urn:ihe:iti:xca:2010:homeCommunityId |
2.0 |
HL7 v2.5 ST |
HomeCommunity ID (IHE) |
<saml:Attribute Name="urn:ihe:iti:xca:2010:homeCommunityId">
<saml:AttributeValue>_homeCommunityId_</saml:AttributeValue>
</saml:Attribute>
RESOURCE (Patient)
|
|
|
|
|
|
| saml_claim |
- |
urn:oasis:names:tc:xacml:2.0:resource:resource-id |
1.0 |
HL7 v2.5 CX |
Identifier of requested resource |
| saml_claim |
resource:resource-id |
urn:oasis:names:tc:xacml:1.0:resource:resource-id |
2.0 |
HL7 v2.5 CX |
Identifier of requested resource |
// oid:resource-id table:
// ----------------------
// * 2.16.578.1.12.4.1.4.1 = type of norwegian F-number
// * 2.16.578.1.12.4.1.4.2 = type of norwegian D-number
// * 2.16.578.1.12.4.1.4.3 = type of norwegian emergency number
<saml:Attribute Name="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
<saml:AttributeValue>_resource:resource-id_^^^&_oid:resource-id_&ISO</saml:AttributeValue>
</saml:Attribute>
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - patient:point_of_care |
urn:nhn:trust-framework:1.0:ext:resource:child-organization |
2.0 |
HL7 v3 II |
Health provider organization details where resource can be found (HL7v3) |
|
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - patient:point_of_care.name |
urn:nhn:trust-framework:1.0:ext:resource:child-organization-name |
2.0 |
HL7 v2.5 ST |
Health provider organization name where resource can be found |
| claim_assertion |
nhn:tillitsrammeverk:parameters - patient:department |
urn:nhn:trust-framework:1.0:ext:resource:facility |
2.0 |
HL7 v3 II |
Department's identifier in an health provider organization name where resource can be found |
| claim_assertion |
nhn:tillitsrammeverk:parameters - patient:department.name |
urn:nhn:trust-framework:1.0:ext:resource:facility-name |
2.0 |
HL7 v2.5 ST |
Department's name in an health provider organization name where resource can be found |
| saml_claim |
xua-acp |
urn:ihe:iti:xua:2012:acp |
2.0 |
HL7 v2.5 ST |
Privacy consent type |
| saml_claim |
bppc-docid |
urn:ihe:iti:bppc:2007:docid |
2.0 |
HL7 v2.5 ST |
Privacy consent reference |
| Care-relationship |
|
|
|
|
|
| claim_assertion |
nhn:tillitsrammeverk:parameters - care_relationship:purpose_of_use:healthcare_service |
urn:nhn:trust-framework:1.0:ext:care-relationship:healthcare-service |
2.0 |
HL7 v3 CE |
Requestor's specification of treatment |
| claim_assertion |
purpose_of_use |
urn:oasis:names:tc:xspa:1.0:subject:purposeOfUse |
1.0 |
HL7 v3 CE |
Purpose of use |
| claim_assertion |
nhn:tillitsrammeverk:parameters - care_relationship:purpose_of_use |
urn:oasis:names:tc:xacml:2.0:action:purpose |
2.0 |
HL7 v3 CE |
Purpose of use |
| claim_assertion |
nhn:tillitsrammeverk:parameters - care_relationship:purpose_of_use_details |
urn:nhn:trust-framework:1.0:ext:care-relationship:purpose-of-use-details |
2.0 |
HL7 v3 CE |
Requestor's specification for background of treatment |
| claim_assertion |
nhn:tillitsrammeverk:parameters - care_relationship:decision_ref |
urn:nhn:trust-framework:1.0:ext:care-relationship:decision-ref |
2.0 |
HL7 v2.5 ST |
Requestor's identifier for background decision |