Overview
SAML assertions are used to identify the user making a request and assert that the user is authorized to make the request. SAML assertion building is a key component in how CONNECT processes messages. The following is a guide to assist in creating/populating the entity assertion block used by CONNECT to generate the SAML assertions for outbound messaging.
Assertion block template
<urn:assertion>
<urn1:homeCommunity>
<urn1:description>LOCAL-HC-DESCRIPTION</urn1:description>
<urn1:homeCommunityId>LOCAL-HCID</urn1:homeCommunityId>
<urn1:name>LOCAL-HC-NAME</urn1:name>
</urn1:homeCommunity>
<urn1:userInfo>
<urn1:personName>
<urn1:familyName>USER-FAMILY-NAME</urn1:familyName>
<urn1:givenName>USER-FIRST-NAME</urn1:givenName>
<urn1:nameType>
<urn1:code>NAME-TYPE</urn1:code>
</urn1:nameType>
<urn1:secondNameOrInitials>INITIALS</urn1:secondNameOrInitials>
<urn1:fullName>USER-FIRST-NAME + USER-FAMILY-NAME</urn1:fullName>
<urn1:prefix>USER-PREFIX</urn1:prefix>
</urn1:personName>
<urn1:userName>DN=USERNAME</urn1:userName>
<urn1:org>
<urn1:description>LOCAL-HC-DESCRIPTION</urn1:description>
<urn1:homeCommunityId>LOCAL-HCID</urn1:homeCommunityId>
<urn1:name>LOCAL-HC-NAME</urn1:name>
</urn1:org>
<urn1:roleCoded>
<urn1:code>ROLE-CODE</urn1:code>
<urn1:codeSystemVersion>CODE-SYSTEM-VERSION</urn1:codeSystemVersion>
<urn1:displayName>CODE-DISPLAY-NAME</urn1:displayName>
<urn1:originalText>ROLE-ORIGINAL-TEXT</urn1:originalText>
</urn1:roleCoded>
</urn1:userInfo>
<urn1:authorized>AUTHORIZED</urn1:authorized>
<urn1:purposeOfDisclosureCoded>
<urn1:code>PURPOSE-CODE</urn1:code>
<urn1:displayName>PURPOSE-DISPLAY-NAME</urn1:displayName>
<urn1:originalText>PURPOSE-ORIGINAL-TEXT</urn1:originalText>
</urn1:purposeOfDisclosureCoded>
<urn1:samlConditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:samlConditions>
<urn1:samlAuthnStatement>
<urn1:authInstant>DATE</urn1:authInstant>
<urn1:sessionIndex>SESSION-INDEX</urn1:sessionIndex>
<urn1:authContextClassRef>AUTH-CONTEXT-CLASS-REF</urn1:authContextClassRef>
<urn1:subjectLocalityAddress>SUBJECT-LOCALITY-ADDRESS</urn1:subjectLocalityAddress>
<urn1:subjectLocalityDNSName>SUBJECT-LOCALITY-DNS-NAME</urn1:subjectLocalityDNSName>
</urn1:samlAuthnStatement>
<urn1:samlAuthzDecisionStatement>
<urn1:decision>Permit</urn1:decision>
<urn1:resource>https://1.1.1.1:8181/SamlReceiveService/SamlProcessWS</urn1:resource>
<urn1:action>TestSaml</urn1:action>
<urn1:evidence>
<urn1:assertion>
<urn1:id>40df7c0a-ff3e-4b26-baeb-f2910f6d05a9</urn1:id>
<urn1:issueInstant>2009-04-16T13:10:39.093Z</urn1:issueInstant>
<urn1:version>2.0</urn1:version>
<urn1:issuerFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</urn1:issuerFormat>
<urn1:issuer>CN=SAML User,OU=connect,O=FHA,L=Melbourne,ST=FL,C=US</urn1:issuer>
<urn1:conditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:conditions>
<urn1:accessConsentPolicy>Claim-Ref-1234</urn1:accessConsentPolicy>
<urn1:instanceAccessConsentPolicy>Claim-Instance-1</urn1:instanceAccessConsentPolicy>
</urn1:assertion>
</urn1:evidence>
</urn1:samlAuthzDecisionStatement>
</urn:assertion>
Assertion block to SAML assertions mapping
| Assertion block | SAML assertion | Notes |
|---|
<urn1:homeCommunity>
<urn1:description>LOCAL-HC-DESCRIPTION</urn1:description>
<urn1:homeCommunityId>LOCAL-HCID</urn1:homeCommunityId>
<urn1:name>LOCAL-HC-NAME</urn1:name>
</urn1:homeCommunity> | <saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xsd:string">LOCAL-HCID</saml2:AttributeValue> | Per testing with PD, <description> and <name> in this location do not get used |
<urn1:userInfo>
<urn1:personName>
<urn1:familyName>USER-FAMILY-NAME</urn1:familyName>
<urn1:givenName>USER-FIRST-NAME</urn1:givenName>
<urn1:nameType>
<urn1:code>NAME-TYPE</urn1:code>
</urn1:nameType>
<urn1:secondNameOrInitials>INITIALS</urn1:secondNameOrInitials>
<urn1:fullName>USER-FIRST-NAME + USER-FAMILY-NAME</urn1:fullName>
<urn1:prefix>USER-PREFIX</urn1:prefix>
</urn1:personName> | <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xsd:string">USER-FIRST-NAME INITIALS USER-LAST-NAME</saml2:AttributeValue> | Per testing with PD, <nameType>, <fullName>, and <prefix> in this location do not get used |
| <urn1:userName>DN=USERNAME</urn1:userName> | N/A | Per testing with PD, this does not get used |
<urn1:org>
<urn1:description>LOCAL-HC-DESCRIPTION</urn1:description>
<urn1:homeCommunityId>LOCAL-HCID</urn1:homeCommunityId>
<urn1:name>LOCAL-HC-NAME</urn1:name>
</urn1:org> | <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xsd:string">LOCAL-HC-NAME</saml2:AttributeValue> and <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xsd:string">LOCAL-HCID</saml2:AttributeValue>
</saml2:Attribute> | Per testing with PD, <description> in this location does not get used |
<urn1:roleCoded>
<urn1:code>ROLE-CODE</urn1:code>
<urn1:codeSystemVersion>CODE-SYSTEM-VERSION</urn1:codeSystemVersion>
<urn1:displayName>ROLE-DISPLAY-NAME</urn1:displayName>
<urn1:originalText>ROLE-ORIGINAL-TEXT</urn1:originalText>
</urn1:roleCoded> | <saml2:AttributeValue>
<hl7:Role xmlns:hl7="urn:hl7-org:v3" code="ROLE-CODE" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="ROLE-DISPLAY-NAME" xsi:type="hl7:CE"/>
</saml2:AttributeValue> | Per testing with PD, <codeSystemVersion> and <originalText> in this location does not get used |
| <urn1:authorized>AUTHORIZED</urn1:authorized> | N/A | Per testing with PD, this does not get used |
<urn1:purposeOfDisclosureCoded>
<urn1:code>PURPOSE-CODE</urn1:code>
<urn1:displayName>PURPOSE-DISPLAY-NAME</urn1:displayName>
<urn1:originalText>PURPOSE-ORIGINAL-TEXT</urn1:originalText>
</urn1:purposeOfDisclosureCoded> | <hl7:PurposeOfUse xmlns:hl7="urn:hl7-org:v3" code="PURPOSE-CODE" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="PURPOSE-DISPLAY-NAME" xsi:type="hl7:CE"/> | Per testing with PD, <originalText> in this location does not get used |
<urn1:samlConditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:samlConditions> | <saml2:Conditions NotBefore="2018-04-20T16:26:34.545Z" NotOnOrAfter="2018-04-20T16:31:34.546Z"/> |
|
<urn1:samlAuthnStatement>
<urn1:authInstant>DATE</urn1:authInstant>
<urn1:sessionIndex>SESSION-INDEX</urn1:sessionIndex>
<urn1:authContextClassRef>AUTH-CONTEXT-CLASS-REF</urn1:authContextClassRef>
<urn1:subjectLocalityAddress>SUBJECT-LOCALITY-ADDRESS</urn1:subjectLocalityAddress>
<urn1:subjectLocalityDNSName>SUBJECT-LOCALITY-DNS-NAME</urn1:subjectLocalityDNSName>
</urn1:samlAuthnStatement> | <saml2:AuthnStatement AuthnInstant="DATE" SessionIndex="SESSION-INDEX">
<saml2:SubjectLocality Address="SUBJECT-LOCALITY-ADDRESS" DNSName="SUBJECT-LOCALITY-DNS-NAME"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>AUTH-CONTEXT-CLASS-REF</saml2:AuthnContextClassRef>
</saml2:AuthnContext> | Per testing with PD: - <authInstant> date value format gets altered somewhat (EXAMPLE: 2009-09-16T13:15:39Z becomes 2009-09-16T13:15:39.000Z)
- <authContextClassRef> must be a valid value such as urn:oasis:names:tc:SAML:2.0:ac:classes:X509
|
<urn1:samlAuthzDecisionStatement>
<urn1:decision>Permit</urn1:decision>
<urn1:resource>https://1.1.1.1:8181/SamlReceiveService/SamlProcessWS</urn1:resource>
<urn1:action>TestSaml</urn1:action>
<urn1:evidence>
<urn1:assertion>
<urn1:id>40df7c0a-ff3e-4b26-baeb-f2910f6d05a9</urn1:id>
<urn1:issueInstant>2009-04-16T13:10:39.093Z</urn1:issueInstant>
<urn1:version>2.0</urn1:version>
<urn1:issuerFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</urn1:issuerFormat>
<urn1:issuer>CN=SAML User,OU=connect,O=FHA,L=Melbourne,ST=FL,C=US</urn1:issuer>
<urn1:conditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:conditions>
<urn1:accessConsentPolicy>Claim-Ref-1234</urn1:accessConsentPolicy>
<urn1:instanceAccessConsentPolicy>Claim-Instance-1</urn1:instanceAccessConsentPolicy>
</urn1:assertion>
</urn1:evidence>
</urn1:samlAuthzDecisionStatement> |
<saml2:AuthzDecisionStatement Decision="Permit" Resource="https://localhost:8181/Gateway/PatientDiscovery/1_0/NhinService/NhinPatientDiscovery">
<saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="_40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0" xsi:type="saml2:AssertionType">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=connect,O=FHA,L=Melbourne,ST=FL,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=localhost</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>klxn1s9sGSmeIBAsedBAou6o5h0cjtJswTeSk2ucOClZk+LiDNOAb18xSBUx2ogmuYpV4U7rD3LOYEydZJO26ID5THDP7l1++5p61Dn0pm+ewB13ZGkujfTN8oURYX++
bjMU9cjqmDa6cNGnH4yqbzs+4DY8P8VyE9p4esjclZ8=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z" NotOnOrAfter="2018-03-30T22:12:49.713Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xsi:type="xsd:string">urn:oid:Claim-Ref-1234</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xsi:type="xsd:string">urn:oid:Claim-Instance-1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
| Based on testing with the CONNECT policy engine adapter, only the following are required in order for AuthzDecisionStatement to be present in the outgoing SAML assertion: - AuthzDecisionStatement
- AuthzDecisionStatement/evidence
- AuthzDecisionStatement/evidence/assertion
- Either accessConsentPolicy or instanceAccessConsentPolicy
Dates must be in valid formats or an exception is thrown Only the following values are passed all the way through to the adapter to the outgoing nhin SAML assertion: - assertion ID
- issuer
- accessConsentPolicy
- instanceAccessConsentPolicy
|
SAML and ACP/IACP validation
PatientDiscovery request was used to capture the following metrics.
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:urn="urn:hl7-org:v3" xmlns:urn1="urn:gov:hhs:fha:nhinc:common:nhinccommon" xmlns:add="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<soap:Header/>
<soap:Body testSuite="Entity_g1" testCase="Patient Discovery">
<urn:RespondingGateway_PRPA_IN201305UV02Request>
<urn:PRPA_IN201305UV02 ITSVersion="XML_1.0">
<urn:id root="1.1" extension="-5a3e95b1:11d1fa33d45:-7f9b"/>
<urn:creationTime value="20091116084800"/>
<urn:interactionId root="2.16.840.1.113883.1.6" extension="PRPA_IN201305UV02"/>
<urn:processingCode code="T"/>
<urn:processingModeCode code="T"/>
<urn:acceptAckCode code="AL"/>
<urn:receiver typeCode="RCV">
<urn:device classCode="DEV" determinerCode="INSTANCE">
<urn:id root="1.2.345.678.999"/>
<urn:asAgent classCode="AGNT">
<urn:representedOrganization classCode="ORG" determinerCode="INSTANCE">
<urn:id root="${#Project#RemoteHCID}"/>
</urn:representedOrganization>
</urn:asAgent>
</urn:device>
</urn:receiver>
<urn:sender typeCode="SND">
<urn:device classCode="DEV" determinerCode="INSTANCE">
<urn:id root="1.2.345.678.999"/>
<urn:asAgent classCode="AGNT">
<urn:representedOrganization classCode="ORG" determinerCode="INSTANCE">
<urn:id root="${#Project#LocalHCID}"/>
</urn:representedOrganization>
</urn:asAgent>
</urn:device>
</urn:sender>
<urn:controlActProcess classCode="CACT" moodCode="EVN">
<urn:authorOrPerformer typeCode="AUT">
<urn:assignedDevice>
<urn:id root="${#Project#LocalAA}"/>
</urn:assignedDevice>
</urn:authorOrPerformer>
<urn:queryByParameter>
<urn:queryId root="${#Project#LocalHCID}" extension="-abd3453dcd24wkkks545"/>
<urn:statusCode code="new"/>
<urn:responseModalityCode code="R"/>
<urn:responsePriorityCode code="I"/>
<urn:matchCriterionList>
<urn:matchAlgorithm>
<urn:value>"XYZ MatchAlgorithm"</urn:value>
<urn:semanticsText>MatchAlgorithm</urn:semanticsText>
</urn:matchAlgorithm>
<urn:minimumDegreeMatch>
<urn:value type="INT" value="99"/>
<urn:semanticsText>MinimumDegreeMatch</urn:semanticsText>
</urn:minimumDegreeMatch>
</urn:matchCriterionList>
<urn:parameterList>
<urn:livingSubjectAdministrativeGender>
<urn:value code="${#Project#Gender}"/>
<urn:semanticsText representation="TXT">LivingSubject.administrativeGender</urn:semanticsText>
</urn:livingSubjectAdministrativeGender>
<urn:livingSubjectBirthTime>
<urn:value value="${#Project#BirthTime}"/>
<urn:semanticsText representation="TXT">LivingSubject.birthTime</urn:semanticsText>
</urn:livingSubjectBirthTime>
<urn:livingSubjectName>
<urn:value>
<urn:family partType="FAM">${#Project#FamilyName}</urn:family>
<urn:given partType="GIV">${#Project#GivenName}</urn:given>
</urn:value>
<urn:semanticsText representation="TXT">LivingSubject.name</urn:semanticsText>
</urn:livingSubjectName>
<urn:livingSubjectId>
<urn:value root="${#Project#LocalAA}" extension="${#Project#SubjectID}"/>
<urn:semanticsText representation="TXT"/>
</urn:livingSubjectId>
</urn:parameterList>
</urn:queryByParameter>
</urn:controlActProcess>
</urn:PRPA_IN201305UV02>
<urn:assertion>
<urn1:homeCommunity>
<urn1:description>${#Project#LocalHCDescription}</urn1:description>
<urn1:homeCommunityId>${#Project#LocalHCID}</urn1:homeCommunityId>
<urn1:name>${#Project#LocalHCDescription}</urn1:name>
</urn1:homeCommunity>
<urn1:userInfo>
<urn1:personName>
<urn1:familyName>Anderson</urn1:familyName>
<urn1:givenName>Wilma</urn1:givenName>
<urn1:nameType>
<urn1:code>G</urn1:code>
</urn1:nameType>
<urn1:secondNameOrInitials>WA</urn1:secondNameOrInitials>
<urn1:fullName>Wilma Anderson</urn1:fullName>
<urn1:prefix>Mrs</urn1:prefix>
</urn1:personName>
<urn1:userName>wanderson</urn1:userName>
<urn1:org>
<urn1:description>${#Project#LocalHCDescription}</urn1:description>
<urn1:homeCommunityId>${#Project#LocalHCID}</urn1:homeCommunityId>
<urn1:name>${#Project#LocalHCDescription}</urn1:name>
</urn1:org>
<urn1:roleCoded>
<urn1:code>307969004</urn1:code>
<urn1:codeSystemVersion>1.0</urn1:codeSystemVersion>
<urn1:displayName>Public Health</urn1:displayName>
<urn1:originalText>Public Health</urn1:originalText>
</urn1:roleCoded>
</urn1:userInfo>
<urn1:authorized>true</urn1:authorized>
<urn1:purposeOfDisclosureCoded>
<urn1:code>PUBLICHEALTH</urn1:code>
<urn1:displayName>Use or disclosure of Psychotherapy Notes</urn1:displayName>
<urn1:originalText>Use or disclosure of Psychotherapy Notes</urn1:originalText>
</urn1:purposeOfDisclosureCoded>
<urn1:samlConditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:samlConditions>
<urn1:samlAuthnStatement>
<urn1:authInstant>2009-04-16T13:15:39Z</urn1:authInstant>
<urn1:sessionIndex>987</urn1:sessionIndex>
<urn1:authContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</urn1:authContextClassRef>
<urn1:subjectLocalityAddress>1.1.1.1</urn1:subjectLocalityAddress>
<urn1:subjectLocalityDNSName>connectopensource.org</urn1:subjectLocalityDNSName>
</urn1:samlAuthnStatement>
<urn1:samlAuthzDecisionStatement>
<urn1:decision>Permit</urn1:decision>
<urn1:resource>https://1.1.1.1:8181/SamlReceiveService/SamlProcessWS</urn1:resource>
<urn1:action>TestSaml</urn1:action>
<urn1:evidence>
<urn1:assertion>
<urn1:id>40df7c0a-ff3e-4b26-baeb-f2910f6d05a9</urn1:id>
<urn1:issueInstant>2009-04-16T13:10:39.093Z</urn1:issueInstant>
<urn1:version>2.0</urn1:version>
<urn1:issuerFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</urn1:issuerFormat>
<urn1:issuer>CN=SAML User,OU=connect,O=FHA,L=Melbourne,ST=FL,C=US</urn1:issuer>
<urn1:conditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:conditions>
<urn1:accessConsentPolicy>Claim-Ref-1234</urn1:accessConsentPolicy>
<urn1:instanceAccessConsentPolicy>Claim-Instance-1</urn1:instanceAccessConsentPolicy>
</urn1:assertion>
</urn1:evidence>
</urn1:samlAuthzDecisionStatement>
</urn:assertion>
<urn:NhinTargetCommunities>
<urn1:nhinTargetCommunity>
<urn1:homeCommunity>
<urn1:description>${#Project#RemoteHCDescription}</urn1:description>
<urn1:homeCommunityId>${#Project#RemoteHCID}</urn1:homeCommunityId>
<urn1:name>${#Project#RemoteHCDescription}</urn1:name>
</urn1:homeCommunity>
</urn1:nhinTargetCommunity>
</urn:NhinTargetCommunities>
</urn:RespondingGateway_PRPA_IN201305UV02Request>
</soap:Body>
</soap:Envelope>
CONNECT 5.1.1
enableConditionsDefaultValue=true
Set enableConditionsDefaultValue=true in saml.properties file.
| # | Top-level samlConditions | Request Status | Comments |
|---|
| 1 | samlConditions is missing | Success | no samlCondtions are generated in the outgoing message |
| 2 | following samlCondtions are present in the request <urn1:samlConditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:samlConditions> | Success | Before sending out the request to responding gateway, both dates are fixed: <saml2:Conditions NotBefore="2018-04-24T14:25:31.318Z" NotOnOrAfter="2018-04-24T14:30:31.323Z"/> Rules For Generating NotBefore or NotOnOrAfter: 1.NotBefore = current date time always 2.NotOnOrAfter = current date time+ 5 minutes |
| 3 | When notBefore or notOnOrAfter are missing. | Success | no samlConditions are generated in the outgoing message |
| 4 | When notBefore is after notOnOrAfter <urn1:samlConditions>
<urn1:notBefore>2018-04-23T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:samlConditions> | Success | correct samlConditions are generated in the outgoing message: <saml2:Conditions NotBefore="2018-04-23T17:26:26.454Z" NotOnOrAfter="2018-04-23T17:31:26.454Z"/> Note: Rules same as #2. |
| ACP/IACP Evidence Conditions |
|
|
|---|
| 5 | evidence -->assertion→conditions are missing | Success | No NotBefore or NotOnOrAfter conditions are generated |
| 6 | Following evidence -->assertion→conditions <urn1:evidence>
<urn1:assertion>
..
<urn1:issueInstant>2018-04-16T13:10:39.093Z</urn1:issueInstant>
<urn1:conditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:conditions>
<urn1:accessConsentPolicy>Claim-Ref-1234</urn1:accessConsentPolicy>
<urn1:instanceAccessConsentPolicy>Claim-Instance-1</urn1:instanceAccessConsentPolicy>
</urn1:assertion>
</urn1:evidence> | Success | <saml2:Evidence>
<saml2:Assertion ID="_40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2018-04-16T13:10:39.093Z" Version="2.0" xsi:type="saml2:AssertionType">
..
<saml2:Conditions NotBefore="2018-04-16T13:10:39.093Z" NotOnOrAfter="2018-04-24T14:47:59.728Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xsi:type="xsd:string">urn:oid:Claim-Ref-1234</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xsi:type="xsd:string">urn:oid:Claim-Instance-1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
Rules for generating NotBefore
1. NotBefore = issueInstant, if NotBefore is a past date and NotBefore is before issueInstant in the request
2. NotBefore = NotBefore if NotBefore is a past date but after issueInstant in the request.
3. NotBefore = current date time, if NotBefore is a past date and NotBefore = issueInstant.
4. NotBefore = current date time, if NotBefore is a future date and issueInstant is either before or after NotBefore in the request
Rules for generating NotOnOrAfter:
1. NotOnOrAfter = issueInstant.plusMinutes(5), if NotOnOrAfter is before current date time plus 5 minutes and is before issueInstant
2. NotOnOrAfter= now.plusMinutes(5), if NotOnOrAfter is before current date time plus 5 minutes and is after issueInstant
3. for all other case , NotOnOrAfter remains unchanged. |
| 7 | When notBefore and/or notOnOrAfter are missing | Success | no samlConditions are generated in the outgoing message |
| 8 | When notBefore is after notOnOrAfter <urn1:evidence>
<urn1:assertion>
..
<urn1:conditions>
<urn1:notBefore>2018-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:conditions>
</urn1:assertion>
</urn1:evidence> | Success | correct samlConditions are generated in the outgoing message: <saml2:Conditions NotBefore="2018-04-16T13:10:39.093Z" NotOnOrAfter="2018-04-23T18:34:25.237Z"/> Note: Refer to rules listed in #6.
|
enableConditionsDefaultValue=false
Set enableConditionsDefaultValue=false in gateway.properties file.
| # | Top-level samlConditions | Request Status | Comments |
|---|
| 1 | samlConditions is missing | Success | no samlCondtions are generated in the outgoing message |
| 2 | NotBefore is in past <urn1:samlConditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:samlConditions> | Failure | The request fails at the responding gateway with below exception.
2018-04-23 14:43:25,332 WARN [org.apache.cxf.phase.PhaseInterceptorChain] (default task-21) Interceptor for {urn:ihe:iti:xcpd:2009}RespondingGateway_Service#{urn:ihe:iti:xcpd:2009}RespondingGateway_PRPA_IN201305UV02 has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:235) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:317) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:171) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:80) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:252) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:218) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:248) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:77) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:167) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML token security failure
at org.apache.wss4j.common.saml.SamlAssertionWrapper.checkConditions(SamlAssertionWrapper.java:809) [wss4j-ws-security-common-2.1.8.jar:2.1.8]
at org.apache.wss4j.dom.validate.SamlAssertionValidator.checkConditions(SamlAssertionValidator.java:230) [wss4j-ws-security-dom-2.1.8.jar:2.1.8]
at gov.hhs.fha.nhinc.callback.cxf.CONNECTSamlAssertionValidator.validate(CONNECTSamlAssertionValidator.java:257) [CONNECTCoreLib-5.1.1.jar:]
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:162) [wss4j-ws-security-dom-2.1.8.jar:2.1.8]
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:89) [wss4j-ws-security-dom-2.1.8.jar:2.1.8]
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344) [wss4j-ws-security-dom-2.1.8.jar:2.1.8]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:268) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
... 40 more
In case of PD, a detectedIssueEvent is generated:
<reasonOf>
<detectedIssueEvent classCode="ALRT" moodCode="EVN">
<code code="ActAdministrativeDetectedIssueCode" codeSystem="2.16.840.1.113883.5.4"/>
<text>A security error was encountered when verifying the message</text>
<mitigatedBy typeCode="MITGT">
<detectedIssueManagement classCode="ACT" moodCode="EVN">
<code code="AnswerNotAvailable" codeSystem="1.3.6.1.4.1.19376.1.2.27.3"/>
<text representation="TXT">AnswerNotAvailable</text>
</detectedIssueManagement>
</mitigatedBy>
</detectedIssueEvent>
</reasonOf>
|
| 3 | When notBefore or notOnOrAfter are missing. | Success | no samlConditions are generated in the outgoing message |
| 4 | When notBefore is after notOnOrAfter <urn1:samlConditions>
<urn1:notBefore>2018-04-23T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:samlConditions> | Success | correct samlConditions are generated in the outgoing message: <saml2:Conditions NotBefore="2018-04-23T17:26:26.454Z" NotOnOrAfter="2018-04-23T17:31:26.454Z"/> Rules For Generating NotBefore or NotOnOrAfter: 1.NotBefore = current date time always 2.NotOnOrAfter = current date time+ 5 minutes |
| ACP/IACP Evidence Conditions |
|
|
|---|
| 5 | evidence -->assertion→conditions are missing | Success | No samlCondtions are generated in the outgoing message. |
| 6 | When NotBefore is a past date <urn1:evidence>
<urn1:assertion>
..
<urn1:conditions>
<urn1:notBefore>2009-04-16T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:conditions>
</urn1:assertion>
</urn1:evidence> | Failure | The request fails at the responding gateway with below exception.
2018-04-23 14:43:25,332 WARN [org.apache.cxf.phase.PhaseInterceptorChain] (default task-21) Interceptor for {urn:ihe:iti:xcpd:2009}RespondingGateway_Service#{urn:ihe:iti:xcpd:2009}RespondingGateway_PRPA_IN201305UV02 has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:235) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:317) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:171) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:80) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:252) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:218) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274) [cxf-rt-transports-http-3.1.9.jar:3.1.9]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:248) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:77) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:167) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML token security failure
at org.apache.wss4j.common.saml.SamlAssertionWrapper.checkConditions(SamlAssertionWrapper.java:809) [wss4j-ws-security-common-2.1.8.jar:2.1.8]
at org.apache.wss4j.dom.validate.SamlAssertionValidator.checkConditions(SamlAssertionValidator.java:230) [wss4j-ws-security-dom-2.1.8.jar:2.1.8]
at gov.hhs.fha.nhinc.callback.cxf.CONNECTSamlAssertionValidator.validate(CONNECTSamlAssertionValidator.java:257) [CONNECTCoreLib-5.1.1.jar:]
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:162) [wss4j-ws-security-dom-2.1.8.jar:2.1.8]
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:89) [wss4j-ws-security-dom-2.1.8.jar:2.1.8]
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344) [wss4j-ws-security-dom-2.1.8.jar:2.1.8]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:268) [cxf-rt-ws-security-3.1.9.jar:3.1.9]
... 40 more
In case of PD, a detectedIssueEvent is generated:
<reasonOf>
<detectedIssueEvent classCode="ALRT" moodCode="EVN">
<code code="ActAdministrativeDetectedIssueCode" codeSystem="2.16.840.1.113883.5.4"/>
<text>A security error was encountered when verifying the message</text>
<mitigatedBy typeCode="MITGT">
<detectedIssueManagement classCode="ACT" moodCode="EVN">
<code code="AnswerNotAvailable" codeSystem="1.3.6.1.4.1.19376.1.2.27.3"/>
<text representation="TXT">AnswerNotAvailable</text>
</detectedIssueManagement>
</mitigatedBy>
</detectedIssueEvent>
</reasonOf>
|
| 7 | When notBefore or notOnOrAfter are missing | Success | No saml conditions are generated in the outgoing message. |
| 8 | When notBefore is current or future date <urn1:evidence>
<urn1:assertion>
<urn1:issueInstant>2009-04-16T13:10:39.093Z</urn1:issueInstant>
<urn1:conditions>
<urn1:notBefore>2018-04-25T13:10:39.093Z</urn1:notBefore>
<urn1:notOnOrAfter>2009-12-31T12:00:00.000Z</urn1:notOnOrAfter>
</urn1:conditions>
<urn1:accessConsentPolicy>Claim-Ref-1234</urn1:accessConsentPolicy>
<urn1:instanceAccessConsentPolicy>Claim-Instance-1</urn1:instanceAccessConsentPolicy>
</urn1:assertion>
</urn1:evidence> | Success | <saml2:Evidence>
<saml2:Assertion ID="_40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0" xsi:type="saml2:AssertionType">
<saml2:Conditions NotBefore="2018-04-24T16:16:42.134Z" NotOnOrAfter="2018-04-24T16:21:42.134Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xsi:type="xsd:string">urn:oid:Claim-Ref-1234</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xsi:type="xsd:string">urn:oid:Claim-Instance-1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
Rules for generating NotBefore
1. NotBefore = issueInstant, if NotBefore is a past date and NotBefore is before issueInstant in the request
2. NotBefore = NotBefore if NotBefore is a past date but after issueInstant in the request.
3. NotBefore = current date time, if NotBefore is a past date and NotBefore = issueInstant.
4. NotBefore = current date time, if NotBefore is a future date and issueInstant is either before or after NotBefore in the request Rules for generating NotOnOrAfter:
1. NotOnOrAfter = issueInstant.plusMinutes(5), if NotOnOrAfter is before current date time plus 5 minutes and is before issueInstant
2. NotOnOrAfter= now.plusMinutes(5), if NotOnOrAfter is before current date time plus 5 minutes and is after issueInstant
3. for all other case , NotOnOrAfter remains unchanged. |
Data samples
| Data field | Description | Sample |
|---|
| LOCAL-HCID | The Home Community ID (an Object Identifier) assigned to the NHIO that is initiating
the request, using the urn format (that is, “urn:oid:” appended with the OID). | urn:oid:1.2.3.4 |
| USER-FIRST-NAME | This element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:subject-id”. The name of the user as required by HIPAA Privacy Disclosure Accounting shall be placed in the value of the element. (Keep in mind that the term “subject” in SAML and XACML refers to the individual making the request; in this specification, the term “User” is generally used with the same meaning, but when referring to attributes defined in SAML or XACML, the naming convention of the standard is retained.) The Nationwide Health Information Network uses the XSPA namespace for subject-id attribute. The primary purpose of this identifier is for display and logging. This XSPA identifier should not be confused with the subject-id identifier from the XACML namespace identifier which is intended for a different purpose. | John |
| INITIALS | This element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:subject-id”. The name of the user as required by HIPAA Privacy Disclosure Accounting shall be placed in the value of the element. (Keep in mind that the term “subject” in SAML and XACML refers to the individual making the request; in this specification, the term “User” is generally used with the same meaning, but when referring to attributes defined in SAML or XACML, the naming convention of the standard is retained.) The Nationwide Health Information Network uses the XSPA namespace for subject-id attribute. The primary purpose of this identifier is for display and logging. This XSPA identifier should not be confused with the subject-id identifier from the XACML namespace identifier which is intended for a different purpose. | M |
| USER-LAST-NAME | This element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:subject-id”. The name of the user as required by HIPAA Privacy Disclosure Accounting shall be placed in the value of the element. (Keep in mind that the term “subject” in SAML and XACML refers to the individual making the request; in this specification, the term “User” is generally used with the same meaning, but when referring to attributes defined in SAML or XACML, the naming convention of the standard is retained.) The Nationwide Health Information Network uses the XSPA namespace for subject-id attribute. The primary purpose of this identifier is for display and logging. This XSPA identifier should not be confused with the subject-id identifier from the XACML namespace identifier which is intended for a different purpose. | Smith |
| LOCAL-HC-NAME | In plain text, the organization that the user belongs to as required by HIPAA Privacy Disclosure Accounting | MyHealth HIE |
| ROLE-CODE | This element shall have the Name attribute set to “urn:oasis:names:tc:xacml:2.0:subject:role”. The value of the element is a child element, “Role”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification. The codeSystem is defined to be “2.16.840.1.113883.6.96" and the codeSystemName is defined to be "SNOMED_CT". The Role Element shall contain the SNOMED CT value representing the role that the user is playing when making the request. The value set to be used is “User Role” and the OID 2.16.840.1.113883.3.18.6.1.156 An example of the syntax of this element is as follows: as defined in HITSP C80. | 307969004 |
| ROLE-DISPLAY-NAME | This element shall have the Name attribute set to “urn:oasis:names:tc:xacml:2.0:subject:role”. The value of the element is a child element, “Role”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification. The codeSystem is defined to be “2.16.840.1.113883.6.96" and the codeSystemName is defined to be "SNOMED_CT". The Role Element shall contain the SNOMED CT value representing the role that the user is playing when making the request. The value set to be used is “User Role” and the OID 2.16.840.1.113883.3.18.6.1.156 An example of the syntax of this element is as follows: as defined in HITSP C80. | Public Health |
| PURPOSE-CODE | This element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:purposeofuse” 7 . The value of the element is a child element, “PurposeOfUse”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification. The PurposeOfUse element shall contain the coded representation of the reason for the request. | PUBLICHEALTH |
| PURPOSE-DISPLAY-NAME | This element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:purposeofuse” 7 . The value of the element is a child element, “PurposeOfUse”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification. The PurposeOfUse element shall contain the coded representation of the reason for the request. | Use or disclosure of Psychotherapy Notes |
| DATE | The AuthnInstant attribute (required) specifies the time at which the authentication took place. | 2009-04-16T13:15:39Z |
| SESSION-INDEX | The SessionIndex attribute (optional) identifies the session between the Subject and the Authentication
Authority. | 987 |
| AUTH-CONTEXT-CLASS-REF | How that authentication was done. Note that the authentication statement does not provide the means to perform that authentication, such as a password, key, or certificate. This element will contain an authentication context class reference. Available authentication methods and their corresponding URNs are provided in https://sequoiaproject.org/wp-content/uploads/2014/11/nhin-authorization-framework-production-specification-v3.0.pdf starting at the bottom
of page 19 | urn:oasis:names:tc:SAML:2.0:ac:classes:X509 |
| SUBJECT-LOCALITY-ADDRESS | The IP address for the system entity that was authenticated | 112.16.133.144 |
| SUBJECT-LOCALITY-DNS-NAME | The DNS domain name for the system entity that was authenticated | connectopensource.org |
| notBefore and notOnOrAfter | At the top level (right under <assertion>) this specifies the valid date range for the entire assertion At the ACP/IACP level this specifies the valid date range for the actual patient consent | 2009-04-16T13:15:39Z |