Page Comparison

...

Code Block

         <urn:assertion>
            <urn1:homeCommunity>
               <urn1:description>LOCAL-HC-DESCRIPTION</urn1:description>
               <urn1:homeCommunityId>LOCAL-HCID</urn1:homeCommunityId>
               <urn1:name>LOCAL-HC-NAME</urn1:name>
            </urn1:homeCommunity>
            <urn1:userInfo>
               <urn1:personName>
                  <urn1:familyName>USER-FAMILY-NAME</urn1:familyName>
                  <urn1:givenName>USER-FIRST-NAME</urn1:givenName>
                  <urn1:nameType>
                     <urn1:code>NAME-TYPE</urn1:code>
                  </urn1:nameType>
                  <urn1:secondNameOrInitials>INITIALS</urn1:secondNameOrInitials>
                  <urn1:fullName>USER-FIRST-NAME + USER-FAMILY-NAME</urn1:fullName>
                  <urn1:prefix>USER-PREFIX</urn1:prefix>
               </urn1:personName>
               <urn1:userName>DN=USERNAME</urn1:userName>
               <urn1:org>
                  <urn1:description>LOCAL-HC-DESCRIPTION</urn1:description>
                  <urn1:homeCommunityId>LOCAL-HCID</urn1:homeCommunityId>
                  <urn1:name>LOCAL-HC-NAME</urn1:name>
               </urn1:org>
               <urn1:roleCoded>
                  <urn1:code>ROLE-CODE</urn1:code>
                  <urn1:codeSystemVersion>CODE-SYSTEM-VERSION</urn1:codeSystemVersion>
                  <urn1:displayName>CODE-DISPLAY-NAME</urn1:displayName>
                  <urn1:originalText>ROLE-ORIGINAL-TEXT</urn1:originalText>
               </urn1:roleCoded>
            </urn1:userInfo>
            <urn1:authorized>AUTHORIZED</urn1:authorized>
            <urn1:purposeOfDisclosureCoded>
               <urn1:code>PURPOSE-CODE</urn1:code>
               <urn1:displayName>PURPOSE-DISPLAY-NAME</urn1:displayName>
               <urn1:originalText>PURPOSE-ORIGINAL-TEXT</urn1:originalText>
            </urn1:purposeOfDisclosureCoded>
            <urn1:samlConditions>
              <urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
              <urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
            </urn1:samlConditions>
            <urn1:samlAuthnStatement>
               <urn1:authInstant>DATE</urn1:authInstant>
               <urn1:sessionIndex>SESSION-INDEX</urn1:sessionIndex>
               <urn1:authContextClassRef>AUTH-CONTEXT-CLASS-REF</urn1:authContextClassRef>
               <urn1:subjectLocalityAddress>SUBJECT-LOCALITY-ADDRESS</urn1:subjectLocalityAddress>
               <urn1:subjectLocalityDNSName>SUBJECT-LOCALITY-DNS-NAME</urn1:subjectLocalityDNSName>
            </urn1:samlAuthnStatement>
            <urn1:samlAuthzDecisionStatement>
               <urn1:decision>Permit</urn1:decision>
               <urn1:resource>https://1.1.1.1:8181/SamlReceiveService/SamlProcessWS</urn1:resource>
               <urn1:action>TestSaml</urn1:action>
               <urn1:evidence>
                  <urn1:assertion>
                     <urn1:id>40df7c0a-ff3e-4b26-baeb-f2910f6d05a9</urn1:id>
                     <urn1:issueInstant>2009-04-16T13:10:39.093Z</urn1:issueInstant>
                     <urn1:version>2.0</urn1:version>
                     <urn1:issuerFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</urn1:issuerFormat>
                     <urn1:issuer>CN=SAML User,OU=connect,O=FHA,L=Melbourne,ST=FL,C=US</urn1:issuer>
                     <urn1:conditions>
                        <urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
                        <urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
                     </urn1:conditions>
                     <urn1:accessConsentPolicy>Claim-Ref-1234</urn1:accessConsentPolicy>
                     <urn1:instanceAccessConsentPolicy>Claim-Instance-1</urn1:instanceAccessConsentPolicy>
                  </urn1:assertion>
               </urn1:evidence>
            </urn1:samlAuthzDecisionStatement>
         </urn:assertion>

Assertion block to SAML assertions

...

mapping

Assertion block

SAML assertion

Notes

<urn1:homeCommunity>
<urn1:description>LOCAL-HC-DESCRIPTION</urn1:description>
<urn1:homeCommunityId>LOCAL-HCID</urn1:homeCommunityId>
<urn1:name>LOCAL-HC-NAME</urn1:name>
</urn1:homeCommunity>

<saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xsd:string">LOCAL-HCID</saml2:AttributeValue>

Per testing with PD, <description> and <name> in this location do not get used

<urn1:userInfo>
<urn1:personName>
<urn1:familyName>USER-FAMILY-NAME</urn1:familyName>
<urn1:givenName>USER-FIRST-NAME</urn1:givenName>
<urn1:nameType>
<urn1:code>NAME-TYPE</urn1:code>
</urn1:nameType>
<urn1:secondNameOrInitials>INITIALS</urn1:secondNameOrInitials>
<urn1:fullName>USER-FIRST-NAME + USER-FAMILY-NAME</urn1:fullName>
<urn1:prefix>USER-PREFIX</urn1:prefix>
</urn1:personName>

<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xsd:string">USER-FIRST-NAME INITIALS USER-LAST-NAME</saml2:AttributeValue>

Per testing with PD, <nameType>, <fullName>, and <prefix> in this location do not get used

<urn1:userName>DN=USERNAME</urn1:userName>

N/A

Per testing with PD, this does not get used

<urn1:org>
<urn1:description>LOCAL-HC-DESCRIPTION</urn1:description>
<urn1:homeCommunityId>LOCAL-HCID</urn1:homeCommunityId>
<urn1:name>LOCAL-HC-NAME</urn1:name>
</urn1:org>

<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xsd:string">LOCAL-HC-NAME</saml2:AttributeValue>

and

<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xsd:string">LOCAL-HCID</saml2:AttributeValue>
</saml2:Attribute>

Per testing with PD, <description> in this location does not get used

<urn1:roleCoded>
<urn1:code>ROLE-CODE</urn1:code>
<urn1:codeSystemVersion>CODE-SYSTEM-VERSION</urn1:codeSystemVersion>
<urn1:displayName>ROLE-DISPLAY-NAME</urn1:displayName>
<urn1:originalText>ROLE-ORIGINAL-TEXT</urn1:originalText>
</urn1:roleCoded>

<saml2:AttributeValue>
<hl7:Role xmlns:hl7="urn:hl7-org:v3" code="ROLE-CODE" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="ROLE-DISPLAY-NAME" xsi:type="hl7:CE"/>
</saml2:AttributeValue>

Per testing with PD, <codeSystemVersion> and <originalText> in this location does not get used

<urn1:authorized>AUTHORIZED</urn1:authorized>

N/A

Per testing with PD, this does not get used

<urn1:purposeOfDisclosureCoded>
<urn1:code>PURPOSE-CODE</urn1:code>
<urn1:displayName>PURPOSE-DISPLAY-NAME</urn1:displayName>
<urn1:originalText>PURPOSE-ORIGINAL-TEXT</urn1:originalText>
</urn1:purposeOfDisclosureCoded>

<hl7:PurposeOfUse xmlns:hl7="urn:hl7-org:v3" code="PURPOSE-CODE" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="PURPOSE-DISPLAY-NAME" xsi:type="hl7:CE"/>

Per testing with PD, <originalText> in this location does not get used

<urn1:samlConditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:samlConditions>

<saml2:Conditions NotBefore="2018-04-20T16:26:34.545Z" NotOnOrAfter="2018-04-20T16:31:34.546Z"/>

<urn1:samlAuthnStatement>
<urn1:authInstant>DATE</urn1:authInstant>
<urn1:sessionIndex>SESSION-INDEX</urn1:sessionIndex>
<urn1:authContextClassRef>AUTH-CONTEXT-CLASS-REF</urn1:authContextClassRef>
<urn1:subjectLocalityAddress>SUBJECT-LOCALITY-ADDRESS</urn1:subjectLocalityAddress>
<urn1:subjectLocalityDNSName>SUBJECT-LOCALITY-DNS-NAME</urn1:subjectLocalityDNSName>
</urn1:samlAuthnStatement>

<saml2:AuthnStatement AuthnInstant="DATE" SessionIndex="SESSION-INDEX">
<saml2:SubjectLocality Address="SUBJECT-LOCALITY-ADDRESS" DNSName="SUBJECT-LOCALITY-DNS-NAME"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>AUTH-CONTEXT-CLASS-REF</saml2:AuthnContextClassRef>
</saml2:AuthnContext>

Per testing with PD:

<authInstant> date value format gets altered somewhat (EXAMPLE: 2009-09-16T13:15:39Z becomes 2009-09-16T13:15:39.000Z)
<authContextClassRef> must be a valid value such as urn:oasis:names:tc:SAML:2.0:ac:classes:X509

<urn1:samlAuthzDecisionStatement>
<urn1:decision>Permit</urn1:decision>
<urn1:resource>https://1.1.1.1:8181/SamlReceiveService/SamlProcessWS</urn1:resource>
<urn1:action>TestSaml</urn1:action>
<urn1:evidence>
<urn1:assertion>
<urn1:id>40df7c0a-ff3e-4b26-baeb-f2910f6d05a9</urn1:id>
<urn1:issueInstant>2009-04-16T13:10:39.093Z</urn1:issueInstant>
<urn1:version>2.0</urn1:version>
<urn1:issuerFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</urn1:issuerFormat>
<urn1:issuer>CN=SAML User,OU=connect,O=FHA,L=Melbourne,ST=FL,C=US</urn1:issuer>
<urn1:conditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:conditions>
<urn1:accessConsentPolicy>Claim-Ref-1234</urn1:accessConsentPolicy>
<urn1:instanceAccessConsentPolicy>Claim-Instance-1</urn1:instanceAccessConsentPolicy>
</urn1:assertion>
</urn1:evidence>
</urn1:samlAuthzDecisionStatement>

Code Block

<saml2:AuthzDecisionStatement Decision="Permit" Resource="https://localhost:8181/Gateway/PatientDiscovery/1_0/NhinService/NhinPatientDiscovery">
	<saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
	<saml2:Evidence>
		<saml2:Assertion ID="_40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0" xsi:type="saml2:AssertionType">
			<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=connect,O=FHA,L=Melbourne,ST=FL,C=US</saml2:Issuer>
			<saml2:Subject>
				<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=localhost</saml2:NameID>
				<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
					<saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType">
						<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
							<ds:KeyValue>
								<ds:RSAKeyValue>
									<ds:Modulus>klxn1s9sGSmeIBAsedBAou6o5h0cjtJswTeSk2ucOClZk+LiDNOAb18xSBUx2ogmuYpV4U7rD3LOYEydZJO26ID5THDP7l1++5p61Dn0pm+ewB13ZGkujfTN8oURYX++
bjMU9cjqmDa6cNGnH4yqbzs+4DY8P8VyE9p4esjclZ8=</ds:Modulus>
									<ds:Exponent>AQAB</ds:Exponent>
								</ds:RSAKeyValue>
							</ds:KeyValue>
						</ds:KeyInfo>
					</saml2:SubjectConfirmationData>
				</saml2:SubjectConfirmation>
			</saml2:Subject>
			<saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z" NotOnOrAfter="2018-03-30T22:12:49.713Z"/>
			<saml2:AttributeStatement>
				<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
					<saml2:AttributeValue xsi:type="xsd:string">urn:oid:Claim-Ref-1234</saml2:AttributeValue>
				</saml2:Attribute>
				<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
					<saml2:AttributeValue xsi:type="xsd:string">urn:oid:Claim-Instance-1</saml2:AttributeValue>
				</saml2:Attribute>
			</saml2:AttributeStatement>
		</saml2:Assertion>
	</saml2:Evidence>
</saml2:AuthzDecisionStatement>

Based on testing with the CONNECT policy engine adapter, only the following are required in order for AuthzDecisionStatement to be present in the outgoing SAML assertion:

AuthzDecisionStatement
AuthzDecisionStatement/evidence
AuthzDecisionStatement/evidence/assertion
Either accessConsentPolicy or instanceAccessConsentPolicy

Dates must be in valid formats or an exception is thrown

Only the following values are passed all the way through to the adapter to the outgoing nhin SAML assertion:

assertion ID
issuer
accessConsentPolicy
instanceAccessConsentPolicy

...

Versions Compared

Old Version 1

New Version Current

Key

Assertion block to SAML assertions

mapping