SAML Assertion Übersicht

Das ETS föderiert Identitäten durch das Ausstellen von ELGA Assertions basierend auf externen bzw. lokalen Identity Assertions, die von vertrauenswürdigen externen Identity Providern ausgestellt wurden. Ein Beispiel hierfür ist das Ausstellen einer ELGA HCP Assertion basierend auf einer lokalen Identity Assertion bzw. von ELGA User I- oder Mandate I-Assertions basierend auf einer Bürgerkartenumgebungs-Assertion (BKUA), die vom EBP präsentiert wird. Für die ZGF zu ZGF Kommunikation werden vom ETS Treatment-Assertions für jeden Bereich, der kontaktiert wird, ausgestellt. Treatment-Assertions werden zum Beispiel auf Basis von HCP, User I- oder Mandate I-Assertions ausgestellt und beinhalten auch Teile der individuellen Bürgerpolicies.

Die folgende Tabelle enthält alle Assertions, die vom BeS ausgestellt werden.

ELGA Assertion	Subject Confirmation	AuthnContext ClassRef	Gültigkeitsdauer	PurposeOfUse	Erneuerbar
HCP	bearer	PreviousSession	Stunden (4)	PUBLICHEALTH	1 x
User I	sender-vouches	PreviousSession	Minuten (20)	REQUEST	2 x
Mandate I, OBST/eHS Mandate	sender-vouches	PreviousSession	Minuten (20)	MANDATE	2 x
Service	bearer	PreviousSession	Stunde (1)	SERVICE	1 x
ZGF Service	bearer	PreviousSession	Stunden (4)	ZGF_SERVICE	1 x
WIST	bearer	PreviousSession	Stunden (4)	WIST	nicht erneuerbar
WIST Mandate	sender-vouches	PreviousSession	Minuten (5)	WIST_MANDATE	nicht erneuerbar
Treatment	sender-vouches	PreviousSession	Minuten (5)	TREATMENT	nicht erneuerbar
User II	sender-vouches	PreviousSession	Minuten (5)	REQUEST2	nicht erneuerbar
Mandate II	sender-vouches	PreviousSession	Minuten (5)	MANDATE2	nicht erneuerbar
eMedTreatment	sender-vouches	PreviousSession	Minuten (5)	EMED_ID	nicht erneuerbar
Community Assertion	sender-vouches	PreviousSession	Minuten (5)	LOCAL_REQUEST	nicht erneuerbar
Treatment Update	Sender-vouches	PreviousSession	Minuten (5)	TREATMENT_DOC_UPD	nicht erneuerbar

Datenelemente: Übersicht ELGA Assertions

Die in ELGA verwendeten Purpose Of Use-Werte stellen eine Erweiterung zu denen von OASIS XSPA bereitgestellten dar. Die Kardinalität eines Attributes einer Assertion, ist mit Ausnahme der Attribute "Permissions" und "AudienceRestriciton" immer 1. Die Kardinalität der Attribute "Permissions" und "AudienceRestriction" ist n.

ELGA Assertion	WS Trust TokenType	ELGA Assertion Type
HCP	urn:elga:bes:2013:HCP:assertion	Login
User I	urn:elga:bes:2013:user:assertion:1	Login
Mandate I	urn:elga:bes:2013:mandate:assertion:1	Login
Service	urn:elga:bes:2013:service:assertion	Login
ZGF Service	urn:elga:bes:2013:service:assertion:zgf	Login
WIST	urn:elga:bes:2013:WIST:assertion	Login
WIST Mandate	urn:elga:bes:2013:mandate:assertion:WIST	Login
Treatment& Treatment Update	urn:elga:bes:2013:treatment:assertion	Treatment
User II	urn:elga:bes:2013:user:assertion:2	Treatment
Mandate II	urn:elga:bes:2013:mandate:assertion:2	Treatment
eMedTreatment	urn:elga:bes:2013:treatment:emed:id:assertion	Treatment
Community Assertion	Wird nicht mittels WS Trust ausgestellt	Community

Datenelemente: Übersicht ELGA Assertions Types

Abbildung: Assertions Übersicht

Generelle Assertion Validierungssemantik

• Jedes Service, welches eine SAML Assertion im SOAP Security Header empfängt, wendet diese Validierungssemantik an.
• Es wird geprüft, ob das XML der SAML Assertion well-formed ist. (SAML 2.0 Core Schema Validation)
• Es wird geprüft, ob die Elemente der SAML Assertion entsprechend der SAML Spezifikation vorhanden sind. (SAML 2.0 Core Spezifikation Validation)
• Die Signatur der Assertion wird gemäß W3C XMLDSig geprüft.
• Public Key des Ausstellers der Assertion muss der validierenden Stelle bekannt sein.
• Bedingungen (SAML Conditions):
• Prüfen der Datumswerte NotBefore und NotOnOrAfter
• Überprüfung, ob das angesprochene Service in der Audience Restriction enthalten ist.

Service	AudienceRestriction
ETS	https://elga-online.at/ETS
KBS	https://elga-online.at/KBS
PAP	https://elga-online.at/PAP
AARR	https://elga-online.at/A2R2
CDM	https://elga-online.at/CDM
General Policy Administrator	https://elga-online.at/administration

Tabelle: AudienceRestrictions

• Nur für ELGA Login Assertions:
• Es wird geprüft, ob die empfangene Assertion noch valide ist und nicht als ungültig gekennzeichnet wurde

WS Trust LifeTime in RST Anfragen (Optional)

Um auf die Lebensdauer einer ausgestellten Assertion Einfluss nehmen zu können, hat ein RST Client die Möglichkeit, das WS Trust Element "wst:Lifetime" in einer WS Trust RST Issue Transaktion an das ETS zu übergeben. Die definierte Lebensdauer, die durch die Werte "wsu:Created" und " wsu:Expires" angegeben wird, muss kleiner oder gleich der konfigurierten maximalen Lebensdauer der jeweiligen Assertion sein. Siehe SAML Assertion Übersicht. Wird die maximale Lebensdauer überschritten bzw. liegen die Werte "wsu:Created" bzw. " wsu:Expires" außerhalb einer eingestellten maximalen Toleranz zur aktuellen Zeit, wird eine "wst:InvalidTimeRange" SOAP Fault zurückgeliefert.

Wird kein "wst:Lifetime" Element angegeben, wird die jeweilige Assertion mit der konfigurierten Gültigkeitsdauer beginnend mit der aktuellen Zeit ausgestellt. Wird kein "wsu:Created" Element angegeben, wird die aktuelle Zeit verwendet. Wird kein "wsu:Expires" Element angegeben, wird die eingestellte Lebensdauer verwendet. "Postdated Tokens" (wsu:Created in der Zukunft) werden vom ETS nicht unterstützt.

Siehe auch: WS Trust 1.4 - wst:RequestSecurityToken/wst:Lifetime, wst:RequestSecurityToken/wst:Lifetime/wsu:Created, wst:RequestSecurityToken/wst:Lifetime/wsu:Expires

Externe Identity Assertions

Alle Assertions, die nicht vom ETS ausgestellt wurden und auf deren Basis neue ELGA Identity Assertions ausgestellt werden, werden als externe Identity Assertions bezeichnet. Beispiele hierfür sind die lokale Identity Assertion eines ELGA Bereichs IdPs, die zum Ausstellen von einer HCP Assertion präsentiert wird bzw. Bürgerkartenumgebungs-Assertions die vom EBP präsentiert werden, um User- bzw. Mandate I- Assertions auszustellen. Das allgemeine Vertrauenverhältnis zwischen dem ETS und den externen IdPs wird durch einen dezidierten Truststore, im Format JKS, hergestellt, welcher vom Betriebsdienstleister zu administrieren ist. In diesem Truststore sind die Zertifikatsketten von den jeweiligen vertrauenswürdigen IdPs zu hinterlegen. Es kann ebenso eine Widerrufsliste geführt werden, um bestehende Vertrauensverhältnisse aufzulösen, welche ebenso vom Betriebsdienstleister zu pflegen ist.

Identity Assertion

Die Identity Assertion (IDA) wird im Security Header der RST Issue Transaktion an das ETS mitübergeben, um ELGA Assertions anzufordern. Die IDA wurde von einem externen vertrauenswürdigen IdP ausgestellt und beinhaltet Identitätsattribute des ELGA Benutzers.

Um die Kompatibilität zu bereits vorhandenen IHE Systemen zu gewährleisten, wird als IDA eine IHE XUA++ Assertion als Grundlage verwendet (Details siehe (IHE, 2013)).

Die Pflichtattribute müssen in übermittelten Identity Assertions zwingend wie im Beispiel (siehe Identity Assertion) vorhanden sein.

Assertion IDA.xml

Assertion: Identity Assertion

Datenelemente Identity Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	SAML assertion identifier NCName encoded (see section 1.3.4 of [SAMLCORE])
@IssueInstant						R	Time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	Address URI that identifies the endpoint of the issuing service. This represents the unique URI of the remote STS, used by the GDA.
Subject						R
		NameID				R	Identifier of the User (e.g., the name of the physician)
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:bearer"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	Time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	Time instant at which the assertion expires. Value is set to 4 hours
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. Identity Assertion is used only with ETS (https://elga-online.at/ETS).
AuthnStatement						R
	@AuthnInstant					R	Time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	urn:oasis:names:tc:SAML:2.0:ac:classes.*
AttributeStatement						R	HCP identity attributes and permissions (Attribute der Identity Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the Identity Assertion

Datenelemente: Identity Assertion

Attribute der Identity Assertion

Identity subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:namesxacml:1.0:subject:subject-id
Values:	Human readable name of the acting Healthcare Professional
Type	String
Healthcare Professional Organisation
FriendlyName:	XSPA Organization
Name:	urn:oasis:namesxspa:1.0:subject:organization
Values:	Name of the GDA
Type:	String
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:namesxspa:1.0:subject:organization-id
Values:	URN encoded OID of the GDA. This value must be known by the GDA Index
Type:	URI
ELGA OID Issuing Authority
FriendlyName:	ELGA OID Issuing Authority
Name:	urn:elga:bes:2013:OIDIssuingAuthority
Values:	OID of the ELGA GDA OrganizationID Issuing Authority. This value must be known by the GDA Index
Type:	URI

Datenelemente: Identity Assertion Attribute

Identity Assertion Validierung und Pflichtattribute:

Folgende Prüfungen werden durchgeführt, wenn eine Identity Assertion als Basis für den Ausstellungsprozess einer HCP Assertion empfangen wurde.

• Generelle Assertion Validierungssemantik
• Prüfung auf Existenz der Pflichtattribute
• Im XSPA Attribute urn:oasis:names:tc:xacml:1.0:subject:subject-id wird der Name des Anfragenden erwartet
• Da das SAML2 Attribut urn:elga:bes:2013:OIDIssuingAuthority gemeinsam mit der urn:oasis:names:tc:xspa:1.0:subject:organization-id verwendet wird, um den anfragenden GDA am GDA Index zu prüfen, muss es zwingend in allen Identity Assertions, die von externen vertrauenswürdigen IdPs ausgestellt wurden, vorhanden sein.
• Die SAML Condition AudienceRestriction muss den Wert https://elga-online.at/ETS beinhalten.
• Dieser Wert gibt an, dass eine IDA ELGA-relevant ist und darf vom lokalen IdP nur für berechtigte ELGA Benutzer gesetzt werden.

Im Rahmen der Identifikation und Validierung der Assertion werden folgende Datenelemente der IDA, wie folgt geprüft:

Element	Attribut	Prüfung
CanonicalizationMethod	Algorithm	= http://www.w3.org/2001/10/xml-exc-c14n#
SignatureMethod	Algorithm	= http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
DigestMethod	Algorithm	= http://www.w3.org/2001/04/xmlenc#sha256
AuthnStatement	AuthnContextClassRef	= urn:oasis:namesSAML:2.0classes.*
SubjectConfirmation	Method	= urn:oasis:namesSAML:2.0bearer
AudienceRestriction	Audience	= https://elga-online.at/ETS

Datenelemente: Prüfung der Assertion Elemente der IDA

Im Rahmen der Identifikation und Validierung der Assertion werden weiters folgende Attbribute der IDA, wie folgt geprüft:

Attribut	FriendlyName	Prüfung
urn:elga:bes:2013:OIDIssuingAuthority	XSPA Organization	!= NULL
urn:oasis:namesxacml:1.0:subject:subject-id	UserID	!= NULL
urn:oasis:namesxspa:1.0:subject:organization-id	OrganizationID	!= NULL

Datenelemente: Prüfung der Assertion Attribute der IDA

e-card Identity Assertion

Im generellen ist der Ablauf zum Anfordern einer HCP Assertion bei e-card und nicht e-card Systemen identisch. Einzig die im SOAP Security Header mitgeführte Identity Assertion unterscheidet sich.

Die nachfolgende Tabelle definiert das Mapping der Attribute aus einem e-card ELGA-Authentifizierungsticket (elga-auth 1.0) in das Format einer lokalen Identity Assertion, wie sie für ELGA vorgesehen ist.

Extrahieren der Daten aus der e-card Identity Assertion

e-card Element	ELGA IDA Element	Beschreibung
SAML Attribute "VP_GDA_Mitarbeiter"	XSPA Subject "urn:oasis:namesxacml:1.0:subject:subject-id"	Name des anfragenden Benutzers
e-card spezfisicher Wert wird statisch eingesetzt	IssuingAuthority "urn:elga:bes:2013:OIDIssuingAuthority"	Behörde welche den GDA am GDA Index erstellt hat
SAML Attribute "VP_Vertragspartnernummer"	"urn:oasis:namesxspa:1.0:subject:organization-id"	OID des behandelnden GDA. Der GDA wird mittels IssuingAuthority (e-card spezifischer statischer Wert) und der VP_Vertragspartnernummer am GDA Index identifiziert.

Datenelemente: HCP Assertion mittels e-card Identity Assertion

Im Rahmen der Identifikation und Validierung der Assertion werden folgende Datenelemente der e-card IDA, wie folgt geprüft:

Element	Attribut	Prüfung
CanonicalizationMethod	Algorithm	= http://www.w3.org/2001/10/xml-exc-c14n#
SignatureMethod	Algorithm	= http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
DigestMethod	Algorithm	= http://www.w3.org/2001/04/xmlenc#sha256
AuthnStatement	AuthnContextClassRef	= urn:oasis:namesSAML:2.0classes.*
SubjectConfirmation	Method	= urn:oasis:namesSAML:2.0bearer
AudienceRestriction	Audience	= https://elga-online.at/ETS

Datenelemente: Prüfung der Assertion Elemente der e-card IDA

Im Rahmen der Identifikation und Validierung der Assertion werden weiters folgende Attribute der e-card IDA, wie folgt geprüft:

Attribut	FriendlyName	Prüfung
VP_Vertragspartnernummer		!= NULL
VP_GDA_Mitarbeiter		!= NULL

Datenelemente: Prüfung der Assertion Attribute der e-card IDA

Bürgerkartenumgebung Assertion (BKUA)

Nach der Anmeldung an der BKU ist das Bürgerportal im Besitz einer SAML2 Assertion, die vom BRZ Siteminder ausgestellt wurde. Diese Assertion wird im Security Header der RST Issue Transaktion an das ETS mitübergeben, um eine ELGA User I-Assertion anzufordern. Die BKUA wurde von einem vertrauenswürdigen IdP ausgestellt und beinhaltet Identitätsattribute des ELGA Teilnehmers. Für alle nachfolgenden Transaktionen an die Komponenten des BeS muss vom Bürgerportal die User I-Assertion verwendet werden. Die Datenelemente sind in der PVP 2.1 Spezifikation (Pichler, 2013) definiert.

Die bPK-GH muss zwingend in der BKUA vorhanden sein. Außerdem ist die AuthnContextClassRef für die BKUA auf "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/2" zu setzen.

Assertion BKUA.xml

Assertion: Assertion der Bürgerkartenumgebung

Im Rahmen der Identifikation und Validierung der Assertion werden folgende Datenelemente der BKUA, wie folgt geprüft:

Element	Attribut	Prüfung
CanonicalizationMethod	Algorithm	= http://www.w3.org/2001/10/xml-exc-c14n#
SignatureMethod	Algorithm	= http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
DigestMethod	Algorithm	= http://www.w3.org/2001/04/xmlenc#sha256
AuthnStatement	AuthnContextClassRef	= http://www.ref.gv.at/ns/names/agiz/pvp/secclass/2
SubjectConfirmation	Method	= urn:oasis:namesSAML:2.0bearer
AudienceRestriction	Audience	= https://elga-online.at/ETS

Datenelemente: Prüfung der Assertion Elemente der BKUA

Im Rahmen der Identifikation und Validierung der Assertion werden weiters folgende Attbribute der BKUA, wie folgt geprüft:

Attribut	FriendlyName	Prüfung
urn:oid:2.5.4.42	GIVEN-NAME	!= NULL
urn:oid:1.2.40.0.10.2.1.1.149	BPK	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.10	PVP-VERSION	= 2.1
urn:oid:1.2.40.0.10.2.1.1.261.20	PRINCIPAL-NAME	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.32	EID-ISSUING-NATION	= AT
urn:oid:1.2.40.0.10.2.1.1.261.34	EID-SECTOR-FOR-IDENTIFIER	= urn:publicid:gv.at:cdid+GH
urn:oid:1.2.40.0.10.2.1.1.261.64	EID-CCS-URL	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.66	EID-SIGNER-CERTIFICATE	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.68	MANDATE-TYPE	= NULL

Datenelemente: Prüfung der Assertion Attribute der BKUA

Hinweis: Für eine erfolgreiche Assertion wird zusätzlich zu dem Prüfen der Attribute auf "!= NULL" eine ZPI-Query durchgeführt und die bPK-GH muss am Z-PI existieren.

Bürgerkartenumgebung Mandate Assertion (BKUAM)

Nach der Anmeldung eines Bevollmächtigten an der BKU, ist das Portal in Besitz einer SAML2 Assertion, die vom BRZ Siteminder ausgestellt wurde (BKUAM). Diese Assertion wird im Security Header der RST Issue Transaktion an das ETS mitübergeben, um eine ELGA Mandate I-Assertion anzufordern. Die BKUAM wurde von einem vertrauenswürdigen IdP ausgestellt und beinhaltet Identitätsattribute, Rollenattribute und Zugriffsart des bevollmächtigten ELGA Teilnehmers, wie auch Identitäts- und Rollenattribute des vollmachtgebenden ELGA Teilnehmers. Für alle nachfolgenden Transaktionen an die Komponenten des BeS muss vom Portal die Mandate I-Assertion verwendet werden.

Die bPK-GH muss zwingend in der BKUAM vorhanden sein. Außerdem ist die AuthnContextClassRef für die BKUAM auf "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/2" bzw. für die OBST/eHS "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/3" zu setzen.

Im Stammzahlenregister wird ein neuer MANDATE-TYPE "ELGAVertretung" mit OID 1.2.40.0.34.6.102 für die Vertretung von Kindern unter 14 Jahren oder Besachwaltete eingeführt, welcher seit BeS Version 2.2 zulässig ist und vom ETS überprüft wird.

Seit PVP 2.1.2 wurde das Attribut "MANDATE-TYPE-OID" eingeführt. Dieser Wert ist seit BeS 2.2 in der BKUAM vorhanden. Neben ELGABilateral mit OID 1.2.40.0.10.1.7.3.1.6 ist auch GeneralvollmachtBilateral mit OID 1.2.40.0.10.1.7.3.1.1 zugelassen.

Assertion BKUAM.xml

Assertion: Mandate Assertion der Bürgerkartenumgebung

Im Rahmen der Identifikation und Validierung der Assertion werden folgende Datenelemente der BKUAM, wie folgt geprüft:

Element	Attribut	Prüfung
CanonicalizationMethod	Algorithm	= http://www.w3.org/2001/10/xml-exc-c14n#
SignatureMethod	Algorithm	= http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
DigestMethod	Algorithm	= http://www.w3.org/2001/04/xmlenc#sha256
AuthnStatement	AuthnContextClassRef	= http://www.ref.gv.at/ns/names/agiz/pvp/secclass/2
SubjectConfirmation	Method	= urn:oasis:namesSAML:2.0bearer
AudienceRestriction	Audience	= https://elga-online.at/ETS

Datenelemente: Prüfung der Assertion Elemente der BKUAM

Im Rahmen der Identifikation und Validierung der Assertion werden weiters folgende Attbribute der BKUAM, wie folgt geprüft:

Attribut	FriendlyName	Prüfung
urn:oid:2.5.4.42	GIVEN-NAME	!= NULL
urn:oid:1.2.40.0.10.2.1.1.149	BPK	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.10	PVP-VERSION	= 2.1
urn:oid:1.2.40.0.10.2.1.1.261.20	PRINCIPAL-NAME	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.32	EID-ISSUING-NATION	= AT
urn:oid:1.2.40.0.10.2.1.1.261.34	EID-SECTOR-FOR-IDENTIFIER	= urn:publicid:gv.at:cdid+GH
urn:oid:1.2.40.0.10.2.1.1.261.64	EID-CCS-URL	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.66	EID-SIGNER-CERTIFICATE	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.68	MANDATE-TYPE	= ELGABilateral || GeneralvollmachtBilateral || ELGAVertretung
urn:oid:1.2.40.0.10.2.1.1.261.98	MANDATOR-NATURAL-PERSON-BPK	!= NULL

Datenelemente: Prüfung der Assertion Attribute der BKUAM

Hinweis: Für eine erfolgreiche Assertion wird zusätzlich zu dem Prüfen der Attribute auf "!= NULL" eine ZPI-Query durchgeführt und die bPK-GH muss am Z-PI existieren.

Bürgerkartenumgebung Mandate Assertion (BKUAM) - OBST/eHS

Eine weiter Variante der BKUAM stellt die OBST/eHS Assertion dar. Die ELGA-Ombudsstelle bzw. eHealth-Servicestelle unterstützt ELGA-Teilnehmerinnen und ELGA-Teilnehmer bei der Wahrnehmung und Durchsetzung ihrer Rechte im Zusammenhang mit ELGA sowie in Angelegenheiten des Datenschutzes.

Im Rahmen der Identifikation und Validierung der Assertion werden folgende Datenelemente der BKUAM, wie folgt geprüft:

Element	Attribut	Prüfung
CanonicalizationMethod	Algorithm	= http://www.w3.org/2001/10/xml-exc-c14n#
SignatureMethod	Algorithm	= http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
DigestMethod	Algorithm	= http://www.w3.org/2001/04/xmlenc#sha256
AuthnStatement	AuthnContextClassRef	= http://www.ref.gv.at/ns/names/agiz/pvp/secclass/3
SubjectConfirmation	Method	= urn:oasis:namesSAML:2.0bearer
AudienceRestriction	Audience	= https://elga-online.at/ETS

Datenelemente: Prüfung der Assertion Elemente der BKUAM (OBST/eHS)

Im Rahmen der Identifikation und Validierung der Assertion werden weiters folgende Attbribute der BKUAM, wie folgt geprüft:

Attribut	FriendlyName	Prüfung
urn:oid:2.5.4.42	GIVEN-NAME	!= NULL
urn:oid:1.2.40.0.10.2.1.1.149	BPK	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.10	PVP-VERSION	= 2.1
urn:oid:1.2.40.0.10.2.1.1.261.20	PRINCIPAL-NAME	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.32	EID-ISSUING-NATION	= AT
urn:oid:1.2.40.0.10.2.1.1.261.34	EID-SECTOR-FOR-IDENTIFIER	= urn:publicid:gv.at:cdid+GH
urn:oid:1.2.40.0.10.2.1.1.261.64	EID-CCS-URL	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.66	EID-SIGNER-CERTIFICATE	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.68	MANDATE-TYPE	= ELGA-Ombudsstelle || ELGA-Ombusstelle-TEST || eHealth-Servicestelle || eHealth-Servicestelle-TEST (abhängig von der Umgebung)
urn:oid:1.2.40.0.10.2.1.1.261.86	MANDATE-PROF-REP-OID	1.2.40.0.34.3.1.3 1.2.40.0.34.3.1.1234 urn:oid:1.2.40.0.34.3.1.3 urn:oid:1.2.40.0.34.3.1.1234
urn:oid:1.2.40.0.10.2.1.1.261.88	MANDATE-PROF-REP-DESCRIPTION	!= NULL
urn:oid:1.2.40.0.10.2.1.1.261.98	MANDATOR-NATURAL-PERSON-BPK	!= NULL

Datenelemente: Prüfung der Assertion Attribute der BKUAM (OBST)

Die OBST und die eHS werden durch das Attribute urn:oid:1.2.40.0.10.2.1.1.261.68 (MANDATE-TYPE) unterschieden. Im Falle der OBST muss dieses Attribute den Wert ELGA-Ombudsstelle oder ELGA-Ombusstelle-TEST enthalten. Im Falle der eHS muss dieses Attribute den Wert eHealth-Servicestelle oder eHealth-Servicestelle-TEST.

BRZ IdP SAML2 Identity Assertion

Diese SAML Assertion wird vom BRZ IdP mittels HTTP POST binding als unsolicited '<samlp:Response>' an das BeS AdminTool übergeben. Vom BeS AdminTool wird nachfolgend eine ELGA Service Assertion mittels WS Trust RST vom ETS beantragt.

Assertion BRZIDP.xml

Assertion: Mandate Assertion der Bürgerkartenumgebung

Lokale WIST IDA

Die WIST verwendet als lokale IDA die im Kapitel Identity Assertion beschriebene. Eine Ausnahme bildet das Nichtvorhandensein einer Organisations ID. Siehe WIST PH -2.2.2. Authentisierung gegenüber ETS.

Im Rahmen der Identifikation und Validierung der Assertion werden folgende Datenelemente der WIST IDA, wie folgt geprüft:

Element	Attribut	Prüfung
CanonicalizationMethod	Algorithm	= http://www.w3.org/2001/10/xml-exc-c14n#
SignatureMethod	Algorithm	= http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
DigestMethod	Algorithm	= http://www.w3.org/2001/04/xmlenc#sha256
AuthnStatement	AuthnContextClassRef	= urn:oasis:namesSAML:2.0classes.*
SubjectConfirmation	Method	= urn:oasis:namesSAML:2.0bearer
AudienceRestriction	Audience	= https://elga-online.at/ETS
Assertion	Issuer	= urn:wist:sts
Subject	NameID	= 1.2.40.0.34.3.1.4.2

Datenelemente: Prüfung der Assertion Elemente der WIST IDA

Im Rahmen der Identifikation und Validierung der Assertion werden weiters folgende Attribute der WIST IDA, wie folgt geprüft:

Attribut	FriendlyName	Prüfung
urn:oasis:namesxacml:2.0:subject:role		= 607(ELGA-Widerspruchstelle)
urn:oasis:namesxacml:1.0:subject:subject-id		!= NULL

Datenelemente: Prüfung der Assertion Attribute der WIST IDA

Lokale ZGF Service Assertion

Die lokale ZGF Service IDA ist eine SAML Assertion, die von der ZGF selbst ausgestellt wird und als Input Assertion beim Anfordern einer ELGA ZGF Service Assertion verwendet wird.

Assertion lokale ZGF Service.xml

Assertion: lokale ZGF Service Assertion

Datenelemente lokale ZGF Service Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	SAML assertion identifier NCName encoded (see section 1.3.4 of [SAMLCORE])
@IssueInstant						R	Time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	Address URI that identifies the endpoint of the issuing service. This represents the unique URI of the remote STS, used by the ZGF.
Subject						R
		NameID				R	Home Community ID of the ZGF
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:bearer"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	Time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	Time instant at which the assertion expires. Value is set to 5minutes
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. The Local ZGF Service Assertion is used only with ETS (https://elga-online.at/ETS).
AuthnStatement						R
	@AuthnInstant					R	Time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	urn:oasis:names:tc:SAML:2.0:ac:classes:x509
AttributeStatement						R	ZGF identity attributes (Attribute der ZGF Service Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the Identity Assertion

Datenelemente: lokale ZGF Service Assertion

Attribute der lokalen ZGF Service Assertion

Identity subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Display name of the ZGF HomeCommunity
Type	String
Source:	ZGF Configuration
Role of the ZGF
FriendlyName:	Rolle/Type der ZGF
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the Type/Role of the ZGF
Type:	Hl7v3 coded value
Source:	Configuration value of the ZGF - Internal ValueSet ZGF_TYPES urn:elga:bes:2013:zgf:type:eBefunde urn:elga:bes:2013:zgf:type:eMed urn:elga:bes:2013:zgf:type:read-only urn:elga:bes:2013:zgf:type:EBP

Datenelemente: lokale ZGF Service Assertion Attribute

Im Rahmen der Identifikation und Validierung der Assertion werden folgende Datenelemente der ZGF Service Assertion, wie folgt geprüft:

Element	Attribut	Prüfung
CanonicalizationMethod	Algorithm	= http://www.w3.org/2001/10/xml-exc-c14n#
SignatureMethod	Algorithm	= http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
DigestMethod	Algorithm	= http://www.w3.org/2001/04/xmlenc#sha256
AuthnStatement	AuthnContextClassRef	= urn:oasis:namesSAML:2.0classes.*
AudienceRestriction	Audience	= https://elga-online.at/ETS
Subject	NameID	!= NULL

Datenelemente: Prüfung der Assertion Elemente der ZGF Service Assertion

Im Rahmen der Identifikation und Validierung der Assertion werden weiters folgende Attribute der ZGF Service Assertion, wie folgt geprüft:

Attribut	FriendlyName	Prüfung
urn:oasis:namesxacml:1.0:subject:subject-id	XSPA Subject	!= NULL
urn:oasis:namesxacml:2.0:subject:role	Rolle/Type der ZGF	= urn:elga:bes:2013:zgf:type:.*

Datenelemente: Prüfung der Assertion Attribute der ZGF Service Assertion

eMED-ID Assertion

Die eMED-ID-Assertion muss bei Zugriffen mit eMED-ID zusätzlich zur ELGA HCP Assertion im Security-Header des SOAP-Requests als SAML2-Assertion mitgeliefert werden. Die Verwendung der eMED-ID-Assertion ist ausschließlich im Security-Header des SOAP-Requests zulässig.

Ist die eMED-ID-Assertion zusätzlich zur HCP im SOAP Security Header vorhanden, wird von der ZGF eine eMed Treatment-Assertion an Stelle einer normalen Treatment-Assertion beim ETS beantragt.

Detaillierte Informationen sowie ein Beispiel können dem eMed-Schnittstellendokument (SVC, 2014), Abschnitt 2.4.2.2.1 eMED-ID-Assertion entnommen werden.

Im Rahmen der Identifikation und Validierung der Assertion werden folgende Datenelemente der eMED-ID Assertion, wie folgt geprüft:

Element	Attribut	Prüfung
AudienceRestriction	Audience	= [ https://elga-online.at/ETS ]

Datenelemente: Prüfung der Assertion Elemente der eMED-ID Assertion

Login Assertions

ELGA Login Assertions sind Assertions, die vom ETS auf Basis von externen bzw. lokalen Identity Assertions ausgestellt werden, wenn sich ein ELGA Benutzer oder ein Hintergrundservice an ELGA anmeldet. Login Assertions können - bevor sie ablaufen - spezifisch oft erneut werden und müssen beim Ablaufen einer Benutzersession invalidiert werden.

HCP Assertion

Eine HCP Assertion wird von einer GDA- oder Bereichssoftware mittels WS Trust Transaktion beim ETS beantragt. Die HCP Assertion beinhaltet Identitätsattribute des ELGA Benutzers und wird auf Basis einer externen Identity Assertion oder einer e-card Identity Assertion ausgestellt. Beim Ausstellen einer HCP Assertion wird der GDA und die gewünschte ELGA Rolle gegen den GDA Index geprüft.

Abbildung: HCP Assertion

Assertion HCP.xml

Assertion: HCP Assertion

Datenelemente HCP Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	SAML assertion identifier NCName encoded (see section 1.3.4 of [SAMLCORE])
@IssueInstant						R	Time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	Address URI that identifies the endpoint of the issuing service. For the HCP assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the GDA, set as the value returned by the GDA index. Source: GDAIndex/GdaDescriptor/InstanceIdentifier/id^ GDAIndex/GdaDescriptor/InstanceIdentifier/oidIssuingAuthority@ GDAIndex/GdaDescriptor/InstanceIdentifier/description
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:bearer "
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	Time instant from which the assertion is useable. It is set as the issue instant
	@NotOnOrAfter					R	Time instant at which the assertion expires. Value is @NotBefore+4 hours
	@ProxyRestriction/Count					R	Specifies how often a Login Assertion is renewable. See: Kapitel SAML Assertion Übersicht
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. HCP can be used with https://elga-online.at/KBS and https://elga-online.at/ETS and https://elga-online.at/ZPI.
AuthnStatement						R
	@AuthnInstant					R	Time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	HCP identity attributes and permissions (see: Attribute der HCP Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the HCP Assertion (see: Assertion Signaturlayout)

Datenelemente: HCP Assertion

Attribute der HCP Assertion

tr class="odd">

HCP subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the HCP
Type	String
Source:	IDA/urn:oasis:names:tc:xacml:1.0:subject:subject-id
Structural Role of the HCP
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the ELGA role of the GDA, coming from the GDA Index (see ELGA Terminology "ELGA_Rollen 2013-01-10")
Type: Source:	Hl7v3 coded value RST/requested-role checked against GDAIndex/GdaDescriptor/ElgaRoles
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the GDA to permissions (BeS internal ID values)
Type:	URN
Source:	Permissions are mapped from the ELGA Role - RST/requested-role checked against "GDAIndex/GdaDescriptor/ElgaRoles"
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded OID of the GDA (GDA Index)
Type:	URI
Source:	GDAIndex/GdaDescriptor/InstanceIndentifier/ID: GDAIndex/GdaDescriptor/InstanceIndentifier/OidIssuingAuthority
Local Healthcare Professional Organisation ID
FriendlyName:	Local Organisation ID
Name:	urn:elga:bes:2013:local-organisation-id
Values:	Local OID of the GDA (OrgID from the local Identity Assertion)
Type:	URI
Purpose of Use
FriendlyName:	BeS Purpose Of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	PUBLICHEALTH
Type	URI
Source	TokenIssuer configuration: PUBLICHEALTH
ELGA Personal Role
FriendlyName:	ELGA Personal Role
Name:	urn:elga:bes:personal-role
Values:	Rolle der identifizierten Person laut: ELGA_GTelVoGDARollen - Austrian e-Health Terminology Browser mit dem parent Attribut „10 Teil1: Rollen für Personen“
Type	String
Source	Der Wert wird, wenn vorhanden, aus der jeweiligen Identity-Assertion übernommen: urn:elga:bes:personal-role

Datenelemente: HCP Assertion Attribute

User I-Assertion

Eine User I-Assertion wird vom EBP mittels WS Trust Transaktion beim ETS beantragt. Die User I-Assertion beinhaltet Identitätsattribute des ELGA Teilnehmers und wird auf Basis einer BKUA Assertion ausgestellt. Die Identität des ELGA Teilnehmers wird gegen den Z-PI geprüft.

Abbildung: User I-Assertion

Assertion UserI.xml

Assertion: User I-Assertion

Datenelemente User I-Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	URN encoded unique identifier (UUID) of the assertion
@IssueInstant						R	time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the User I-assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the user (e.g., patient) which is actually performing the transaction Source:BKUA/BPK(urn:oid:1.2.40.0.10.2.1.1.149)
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	time instant at which the assertion expires. Value is set to 20 minutes
	@ProxyRestriction/Count					R	Specifies how often a Login Assertion is renewable. See: Kapitel SAML Assertion Übersicht
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. This can be used with https://elga-online.at/KBS, https://elga-online.at/PAP, https://elga-online.at/A2R2 and https://elga-online.at/ETS.
AuthnStatement						R
	@AuthnInstant					R	time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	User I identity attributes and permissions (see section: Attribute der User I-Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the User I-Assertion (see section: Assertion Signaturlayout)

Datenelemente: User I-Assertion

Attribute der User I-Assertion

User subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the Patient
Type	String
Source	BKUA/PRINCIPAL-NAME(urn:oid:1.2.40.0.10.2.1.1.261.20) ’ ' BKUA/GIVEN-NAME(urn:oid:2.5.4.42)
Role of the User
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the role of the user, which is set to 610
Type:	HL7v3 coded value
Source:	TokenIssuer Configuration: 610
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the Bürger to permissions
Type:	URI
Source:	Permissions are mapped from the configured Role
Patient Identifier
FriendlyName:	XSPA Patient ID
Name:	urn:oasis:names:tc:xspa:1.0:resource:resource-id
Values:	Contains the patient identifier in CX format (bPK-GH)
Type:	String
Source:	BKUA/BPK(urn:oid:1.2.40.0.10.2.1.1.149)^^^&1.2.40.0.10.2.1.1.149&ISO
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	REQUEST
Type:	String
Source:	TokenIssuer configuration: REQUEST
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded OID of the EBP
Type:	URI
Source:	OID of the EBP

Datenelemente: User I-Assertion Attribute

Mandate I-Assertion

Eine Mandate I-Assertion wird vom EBP mittels WS Trust Transaktion beim ETS beantragt. Die Mandate I-Assertion beinhaltet Identitätsattribute des Vollmachtnehmers und des Vollmachtgebers und wird auf Basis einer BKUAM Assertion ausgestellt. Die Identität des Vollmachtnehmers und die des Vollmachtgebers werden gegen den Z-PI geprüft.

Abbildung: Mandate I-Assertion

Assertion MandateI.xml

Assertion: Mandate I-Assertion

Die Identifkation des Vollmachtnehmers befindet sich in SAML/Subject/NameID und die des Vollmachtgebers im AttributeStatement/urn:oasis:namesxspa:1.0:resource:resource-id (XSPA PatientID).

Datenelemente Mandate I-Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	SAML assertion identifier NCName encoded (see section 1.3.4 of [SAMLCORE])
@IssueInstant						R	time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the HCP assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the acting person person Source: BKUAM/BPK(urn:oid:1.2.40.0.10.2.1.1.149)
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	time instant at which the assertion expires. Value is set to 20 minutes
	@ProxyRestriction/Count					R	Specifies how often a Login Assertion is renewable. See: Kapitel SAML Assertion Übersicht
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. Mandate I can be used with https://elga-online.at/KBS, https://elga-online.at/PAP, https://elga-online.at/A2R2 and https://elga-online.at/ETS.
AuthnStatement						R
	@AuthnInstant					R	time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	Mandate identity attributes and permissions
ds:Signature						R	Enveloped XML signature of the issuer of the Mandate Assertion

Datenelemente: Mandate I-Assertion

Attribute der Mandate I-Assertion

Real person subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the "REAL PERSON" acting (gesetzlicher oder bevollmächtigter Vertreter)
Type:	String
Source:	BKUAM/PRINCIPAL-NAME(urn:oid:1.2.40.0.10.2.1.1.261.20) ’ ' BKUAM/GIVEN-NAME(urn:oid:2.5.4.42)
Role of the User
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the role of the User, set as 611
Type:	Hl7v3 coded value
Source:	TokenIssuer Configuration: 611
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the Bürger to permissions
Type:	URI
Source:	Permissions are mapped from the configured Role
Patient ID
FriendlyName:	XSPA patient id
Name:	urn:oasis:names:tc:xspa:1.0:resource:resource-id
Values:	Contains the patient identifier in CX format (bPK-GH des Vollmachtgebers)
Type:	String
Source:	BKUAM/MANDATOR-NATURAL-PERSON-BPK(urn:oid:1.2.40.0.10.2.1.1.261.98)^^^&1.2.40.0.10.2.1.1.149&ISO
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	MANDATE
Type:	String
Source:	TokenIssuer Configuration: MANDATE
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded OID of the OBST/eHS or EBP
Type:	URI
Source:	TokenIssuer Configuration: EBP or OBST/eHS OID

Datenelemente: Mandate I-Assertion Attribute

ELGA WIST Assertion

Die WIST beantragt mit einer WS Trust Issue Transaktion eine ELGA WIST (E-WIST) Assertion beim ETS. Es wird keine Prüfung der Organisations OID gegen den GDA Index vorgenommen. Für jeden ELGA Teilnehmer, den die WIST bearbeitet, wird eine WIST Mandate Assertion beantragt.

Siehe ELGA Pflichtenheft SSt PAP WIST V1.0.pdf (ELGA GmbH, 2014) Kapitel 2.2.2. Authentisierung gegenüber ETS.

Abbildung: E-WIST-Assertion

Assertion E-WIST.xml

Assertion: E-WIST

Datenelemente E-WIST-Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	SAML assertion identifier NCName encoded (see section 1.3.4 of [SAMLCORE])
@IssueInstant						R	Time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	Address URI that identifies the endpoint of the issuing service. For the E-WIST-Assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the WIST. Source:Local WIST IDA/SubjectNameID
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:bearer "
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	Time instant from which the assertion is useable. It is set as the issue instant
	@NotOnOrAfter					R	Time instant at which the assertion expires. Value is set to 4 hours
	@ProxyRestriction/Count					R	Specifies how often a Login Assertion is renewable. See: Kapitel SAML Assertion Übersicht
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. HCP can be used with and https://elga-online.at/ETS.
AuthnStatement						R
	@AuthnInstant					R	Time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	E-WIST identity attributes and permissions (see: Attribute der E-WIST-Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the E-WIST-Assertion (see: Assertion Signaturlayout)

Datenelemente: E-WIST-Assertion

Attribute der E-WIST-Assertion

WIST subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the WIST
Type:	String
Source:	Local WIST IDA/urn:oasis:names:tc:xacml:1.0:subject:subject-id
Structural Role of the HCP
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the ELGA role of the WIST (607) - see ELGA Terminology "ELGA_Rollen 2013-01-10"
Type: Source:	Hl7v3 coded value RST/urn:tiani-spirit:bes:2013:claims:requested-role Same value received in Local WIST IDA/urn:oasis:names:tc:xacml:2.0:subject:role/Role/code
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the WIST to permissions (BeS internal ID values)
Type:	URN
Source:	Permissions are mapped from the ELGA Role - RST/requested-role
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	WIST
Type	URI
Source	TokenIssuer configuration: WIST

Datenelemente: E-WIST-Assertion Attribute

WIST Mandate Assertion

Die WIST beantragt für jeden ELGA Teilnehmer, der bearbeitet wird, eine WIST Mandate Assertion, die auf Basis der mitgelieferten ELGA WIST Assertion vom ETS ausgestellt wird. Der vertretene ELGA Teilnehmer wird gegen den Z-PI geprüft.

Abbildung: WIST Mandate Assertion

Assertion WIST Mandate.xml

Assertion: WIST Mandate Assertion

Die Identifkation des Vollmachtnehmers (WIST) befindet sich in SAML/Subject/NameID und die des Vollmachtgebers im AttributeStatement/urn:oasis:namesxspa:1.0:resource:resource-id (XSPA PatientID).

Datenelemente WIST Mandate Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	SAML assertion identifier NCName encoded (see section 1.3.4 of [SAMLCORE])
@IssueInstant						R	time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the WIST Mandate assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the acting person Source: E-WIST/SubjectNameID
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	time instant at which the assertion expires. Value is set to 5 minutes
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. WIST Mandate can be used with https://elga-online.at/PAP.
AuthnStatement						R
	@AuthnInstant					R	time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	WIST Mandate identity attributes and permissions
ds:Signature						R	Enveloped XML signature of the issuer of the Mandate Assertion

Datenelemente: WIST Mandate Assertion

Attribute der WIST Mandate Assertion

Real person subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the "REAL PERSON" acting (WIST)
Type:	String
Source:	E-WIST/urn:oasis:names:tc:xacml:1.0:subject:subject-id
Role of the User
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the role of the WIST, set as 607
Type:	Hl7v3 coded value
Source:	TokenIssuer Configuration: 607
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the WIST to permissions
Type:	URI
Source:	Permissions are mapped from the configured Role
Patient ID
FriendlyName:	XSPA patient id
Name:	urn:oasis:names:tc:xspa:1.0:resource:resource-id
Values:	Contains the patient identifier in CX format (bPK-GH des Vollmachtgebers)
Type:	String
Source:	RST/Claims/urn:tiani-spirit:bes:2013:claims:patient-id See: WIST PH: Interface 3: Beispiel Request Mandate I-Assertion
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	MANDATE
Type:	String
Source:	TokenIssuer Configuration: WIST_MANDATE
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded OID of the WIST
Type:	URI
Source:	TokenIssuer Configuration: WIST OID

Datenelemente: WIST Mandate Assertion Attribute

Service Assertion

Diese Assertion ist deaktiviert, da sie derzeit nicht verwendet wird.

Diese Assertion wird an Systeme für ELGA Servicemitarbeiter (siehe ELGA Rollen: Code="608", CodeSystem="1.2.40.0.34.5.158") mittels WS Trust RST Transaktion ausgestellt. Die Service Assertion wird vom General Policy Administrator verwendet, um generelle Policies zu verwalten.

Abbildung: Service Assertion

Assertion Service.xml

Assertion: Service Assertion

Datenelemente Service Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	URN encoded unique identifier (UUID) of the assertion
@IssueInstant						R	time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the service assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the personnel of the BRZ, which is performing service to the BeS system Source: BRZ_IDA/SubjectNameIDValue
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:bearer"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	time instant at which the assertion expires. Value is set to 1 hour
	@ProxyRestriction/Count					R	Specifies how often a Login Assertion is renewable. See: Kapitel SAML Assertion Übersicht
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. Service can be used only for https://elga-online.at/adminstration
AuthnStatement						R
	@AuthnInstant					R	time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	HCP identity attributes and permissions (Attribute der Service Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the Service Identity Assertion

Datenelemente: Service Assertion

Attribute der Service Assertion

Administrator subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:namesxacml:1.0:subject:subject-id
Values:	Human readable name of the administrator
Type:	String
Source:	BRZ_IDA/urn:oasis:namesxacml:1.0:subject:subject-id
Role of the Administrator
FriendlyName:	ELGA Rolle
Name:	urn:oasis:namesxacml:2.0:subject:role
Values:	Contains the role of the administrator. This value is set to "608"
Type:	HL7v3 coded value
Source:	TokenIssuer Config: 608
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the Administrator to permissions
Type:	URI
Source:	Permissions are mapped from the Role
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:namesxspa:1.0:subject:purposeofuse
Values:	SERVICE
Type:	String
Source:	TokenIssuer Configuration: SERVICE
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the GDA to permissions (BeS internal ID values)
Type:	URN
Source:	Permissions are mapped from the ELGA Role

Datenelemente: Service Assertion Attribute

ZGF Service Assertion

Die ZGF Service Assertion wird von Hintergrundprozessen der ZGF beim ETS beantragt. Als Input Assertion wird eine lokale ZGF Service IDA an das ETS übergeben. Diese Assertion findet beim Synchronisieren der generellen Policies und beider Kommunikationen des Content Delete Daemons mit den Zentralkomponenten Verwendung.

Abbildung: ZGF Service Assertion

Assertion ZGF Service.xml

Assertion: ZGF Service Assertion

Datenelemente ZGF Service Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	SAML assertion identifier NCName encoded (see section 1.3.4 of [SAMLCORE])
@IssueInstant						R	Time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the service assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Home Community ID of the ZGF Source: Lokal ZGF Service IDA/SubjectNameIDValue
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:bearer"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	Time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	Time instant at which the assertion expires. Value is set to 4 hours
	@ProxyRestriction/Count					R	Specifies how often a Login Assertion is renewable. See: Kapitel SAML Assertion Übersicht
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. The ZGF Service Assertion is used with CDM (https://elga-online.at/CDM) and PAP (https://elga-online.at/PAP)
AuthnStatement						R
	@AuthnInstant					R	Time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	smartcard: urn:oasis:names:tc:SAML:2.0:ac:classes:x509
AttributeStatement						R	ZGF identity attributes (Attribute der ZGF Service Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the Identity Assertion

Datenelemente: ZGF Service Assertion

Attribute der ZGF Service Assertion

Identity subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Display name of the ZGF HomeCommunity
Type	String
Source:	Local ZGF Service IDA/SubjectNameID/Value
Role of the ZGF
FriendlyName:	Rolle/Type der ZGF
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the Type/Role of the ZGF
Type:	Hl7v3 coded value
Source:	Local ZGF Service IDA/urn:oasis:names:tc:xacml:2.0:subject:role
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ZGF Type to permissions (ValueSet: ZGF_TYPES)
Type:	URN
Source:	Local ZGF Service IDA/urn:oasis:names:tc:xacml:2.0:subject:role Permissions are mapped using the ZGF_TYPES ValueSet urn:elga:bes:2013:zgf:type:eBefunde urn:elga:bes:2013:zgf:type:eMed urn:elga:bes:2013:zgf:type:read-only urn:elga:bes:2013:zgf:type:EBP
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	ZGF_SERVICE
Type:	String
Source:	TokenIssuer Configuration: ZGF_SERVICE

Datenelemente: ZGF Service Assertion Attribute

Treatment-Assertions (Delegierte Assertions)

Treatment-Assertions werden für die interne ZGF zu ZGF Kommunikation bzw. für bereichsinterne Kommunikation, die über die ZGF geführt wird, verwendet. Die initiierende ZGF fragt beim ETS abhängig von der empfangenen Login Assertion um eine Treatment-, User II-, Mandate II- oder eMed Treatment-Assertion mittels WS Trust Issue (wst14:ActAs) Transaktion an. Vom ETS wird pro ELGA Bereich für den betroffenen ELGA Teilnehmer, der eine LPID hat, eine Assertion zurückgeliefert. Die jeweilige, dem entfernten ELGA Bereich zugeordnete Assertion, wird anschließend für die remote Kommunikation im SOAP Security Header verwendet. Zusätzlich zu Identitätsattributen des ELGA Teilnehmers, beinhalten Treatment-Assertions auch Teile der individuellen ELGA Teilnehmer Zugriffsrechte in Form einer XACML Policy. Treatment-Assertions haben eine sehr kurze Lebensdauer (5 Minuten, abhängig von der Konfiguration) und können nicht erneuert bzw. invalidiert werden. Treatment-Assertions werden nicht an die Backend Services des Bereichs weitergegeben. Aufgrund der 2-Phasen-Protokollierung des A-ARR kann jede Treatment-Assertion nur für genau eine Transaktion verwendet werden. Technisch wird die "one-time use" der Treatment-Assertions nicht überprüft.

Treatment-Assertion

Diese Assertion wird von der ZGF auf Basis einer HCP Assertion vom ETS mittels WS Trust Transaktion beantragt. Das ETS stellt für jeden Bereich, für den der ELGA Teilnehmer eine LPID hat, eine Treatment-Assertion aus. Bei der nachfolgenden ZGF zu ZGF Kommunikation wird die jeweils dem Bereich zugeordnete Assertion im SOAP Security Header mitgeschickt. Im Falle von Schreiboperationen Richtung lokalem ELGA Bereich, wird nur eine Treatment-Assertion für den Bereich beantragt, die zur Berechtigungsprüfung verwendet wird.

Abbildung: Treatment-Assertion

Assertion Treatment.xml

Assertion: Treatment-Assertion

Datenelemente Treatment-Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	URN encoded unique identifier (UUID) of the assertion
@IssueInstant						R	time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the HCP assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the sending facade. Source: RST/Claims/urn:tiani-spirit:bes:2013:claims:calling-facade
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	time instant at which the assertion expires. Value is set to 5 minutes
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. It contains the value of the remote targets bereiche.
AuthnStatement						R
	@AuthnInstant					R	time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	HCP identity attributes and permissions (Attribute der Treatment-Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the Treatment-Assertion
Statement						R	A XACMLPolicyStatement, [SAMLv2.0 profile for XACMLv2.0] containing the selected policy.

Datenelemente: Treatment-Assertion

Attribute der Treatment-Assertion

HCP subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the physician
Type:	String
Source:	HCP/urn:oasis:names:tc:xacml:1.0:subject:subject-id
Structural Role of the HCP
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the ELGA role of the GDA, coming from the GDA Index (see ELGA Terminology "ELGA_Rollen 2013-01-10")
Type	HL7v3 coded value
Source	HCP/urn:oasis:names:tc:xacml:2.0:subject:role
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the ELGA user / GDA to a list of permissions
Type:	URI
Source:	HCP/urn:elga:bes:permission
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded OID of the GDA from the GDA Index
Type:	URI
Source:	HCP/urn:oasis:names:tc:xspa:1.0:subject:organization-id
Patient ID
FriendlyName:	XSPA patient id
Name:	urn:oasis:names:tc:xspa:1.0:resource:resource-id
Values:	Contains the patient identifier in CX format (LPID)
Type:	String
Source:	Z-PI/PixQuery/Domain to HomeCommunityID mapping (responding LPID)
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	TREATMENT
Type	String
Source	TokenIssuer Configuration TREATMENT
Area specific person identifier
FriendlyName:	Area specific person identifier
Name:	urn:elga:bes:2013:bPK-GH
Values:	Contains the bPK-GH of the patient in CX format.
Type	URI
Source	Z-PI/PixQuery/BPKDomain The Identifier oft he Pix Query response matching the configured BPKDomain is used for this value.
XCA Home Community ID
FriendlyName:	XCA Home Community ID
Name:	urn:ihe:iti:xca:2010:homeCommunityId
Values:	Contains the Community ID of the initiating community
Type	URI
Source:	RST/Claims/urn:tiani-spirit:bes:2013:claims:calling-facade
XCA Responding Home Community ID
FriendlyName:	XCA Responding Home Community ID of the responding ZGF
Name:	urn:elga:bes:2013:rsp-community
Values:	Contains the Community ID of the responding community
Type:	URI
Source:	Z-PI/PixQuery/Domain to HomeCommunityID mapping (responding ZGF)
Excluded Class-Codes
FriendlyName:	excluded class-codes
Name:	urn:elga:bes:2023:excluded-class-codes
Values:	wird verwendet für DICOM active ja/nein
Type:	URI
Source:	DICOM active/ja/nein
Included Class-Codes
FriendlyName:	include class-codes
Name:	urn:elga:bes:2023:included-class-codes
Values:	AC Zugriff auf e-Befund, um die Liste der Class Codes einzuschränken
Type:	URI
Source:	acImport.xml
ELGA EU User Description
FriendlyName:	ELGA EU User Description
Name:	urn:elga:bes:2023:user-description
Values:	Dieser Wert ist nur bei einer EU-IDA vorhanden: urn:oasis:names:tc:xspa:1.0:subject:organization-id ^ urn:oasis:names:tc:xspa:1.0:environment:locality ^ urn:ehdsi:names:subject:healthcare-facility-type
Type:	String
Source:	ac Ctx Assertion
AC Purpose
FriendlyName:	AC Purpose
Name:	urn:oasis:names:tc:xacml:2.0:action:purpose
Values:	bei Zugriffen auf e-Befund mittels AC wird in diesem Attribute die AC APP ID transportiert
Type:	String
Source:	appId der jeweiligen ac Ctx Assertion

Datenelemente: Treatment-Assertion Attribute

Treatment Update Assertion

Kann vom ETS beim Anwendungsfall Dokument aktualisieren keine Treatment-Assertion ausgestellt werden ("Kontakt"), wird eine Treatment Update Assertion an die ZGF zurückgeliefert. Die Treatment Update Assertion unterscheidet sich ausschließlich durch den verwendeten Purpose of Use von der Treatment-Assertion. Diese Assertion wird vom ETS nur für diesen Anwendungsfall (Dokument aktualisieren) in Kombination mit einem "Kontakt" ausgestellt und kann nicht für die ZGF zu ZGF Kommunikation verwendet werden.

Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:namesxspa:1.0:subject:purposeofuse
Values:	TREATMENT_DOC_UPD
Type	String
Source	TokenIssuer Configuration TREATMENT_DOC_UPD

User II-Assertion

Eine XCA bzw. eMed read Transaktion eines ELGA Teilnehmers mittels EBP an die ZGF/EBP ist der Auslöser für die ZGF mittels WS Trust RST um ELGA User II-Assertions beim ETS/TRS anzufragen. Die User II-Assertion wird von der ZGF auf Basis einer User I-Assertion vom ETS mittels WS Trust Transaktion beantragt.

Abbildung: User II-Assertion

Assertion UserII.xml

Assertion: User II-Assertion

Datenelemente User II-Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	URN encoded unique identifier (UUID) of the assertion
@IssueInstant						R	time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the User II-assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the sending facade. In this case is the sending facade of the portal Source: RST/Claims/urn:tiani-spirit:bes:2013:claims:calling-facade
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	time instant at which the assertion expires. Value is set to 5 minutes
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. It contains the value of the target ELGA Bereiche
AuthnStatement						R
	@AuthnInstant					R	time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	HCP identity attributes and permissions (Attribute der User II-Assertion)
Statement						R	A XACMLPolicyStatement,[SAMLv2.0 profile for XACMLv2.0] containing the selected policy.
ds:Signature						R	Enveloped XML signature of the issuer of the User II-Assertion

Datenelemente: User II-Assertion

Attribute der User II-Assertion

User subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the User (e.g., the patient)
Type:	String
Source:	User I/urn:oasis:names:tc:xacml:1.0:subject:subject-id
Role of the User
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the role of the User, set as bürger
Type:	HL7v3 coded value
Source:	User I/urn:oasis:names:tc:xacml:2.0:subject:role
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the Bürger to permissions
Type:	URI
Source:	User I/urn:elga:bes:permission
Patient Identifier
FriendlyName:	XSPA Patient ID oft the responding ZGF
Name:	urn:oasis:names:tc:xspa:1.0:resource:resource-id
Values:	Contains the patient identifier in CX format (LPID)
Type:	String
Source:	Z-PI/PixQuery/Domain to HomeCommunityID mapping (responding LPID)
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	REQUEST2
Type	String
Source	TokenIssuer Configuration REQUEST2
Area specific person identifier
FriendlyName:	Area specific person identifier
Name:	urn:elga:bes:2013:bPK-GH
Values:	Contains the bPK-GH of the patient in CX format.
Type	URI
Source	Z-PI/PixQuery/BPKDomain The Identifier oft he Pix Query response matching the configured BPKDomain is used for this value.
XCA Home Community ID
FriendlyName:	XCA Home Community ID oft he initiating ZGF
Name:	urn:ihe:iti:xca:2010:homeCommunityId
Values:	Contains the Community ID of the initiating community
Type	URI
Source	RST/Claims/urn:tiani-spirit:bes:2013:claims:calling-facade
XCA Responding Home Community ID
FriendlyName:	XCA Responding Home Community ID
Name:	urn:elga:bes:2013:rsp-community
Values:	Contains the Community ID of the responding community
Type	URI
Source	Z-PI/PixQuery/Domain to HomeCommunityID mapping (responding ZGF)
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded OID of the GDA from the GDA Index
Type:	URI
Source:	UserI/urn:oasis:names:tc:xspa:1.0:subject:organization-id

Datenelemente: User II-Assertion Attribute

Mandate II-Assertion

Eine XCA Transaktion bzw. eMed read Transaktion eines bevollmächtigten ELGA Teilnehmers mittels Bürgerportal an die ZGF des EBP ist der Auslöser für die ZGF mittels WS Trust RST um ELGA Mandate II-Assertions anzufragen. Die Mandate II-Assertion wird von der ZGF auf Basis einer Mandate I-Assertion vom ETS mittels WS Trust Transaktion beantragt.

Abbildung: Mandate II-Assertion

Assertion MandateII.xml

Assertion: Mandate II-Assertion

Datenelemente Mandate II-Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	URN encoded unique identifier (UUID) of the assertion
@IssueInstant						R	time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the Mandate II-assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the sending façade Source: RST/Claims/urn:tiani-spirit:bes:2013:claims:calling-facade
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	time instant at which the assertion expires. Value is set to 5 minutes
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. Current value is the URL of the target bereiche
AuthnStatement						R
	@AuthnInstant					R	time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	Mandate II identity attributes and permissions (Attribute der Mandate II-Assertion)
Statement						R	A XACMLPolicyStatement,[SAMLv2.0 profile for XACMLv2.0] containing the selected policy.
ds:Signature						R	Enveloped XML signature of the issuer of the Mandate II-Assertion

Datenelemente: Mandate II-Assertion

Attribute der Mandate II-Assertion

ACTING PERSON BPK GH
FriendlyName:	ACTING-PERSON-BPK-GH
Name:	urn:elga:bes:2013:acting:bPK-GH
Values:	bPK-GH of the acting PERSON
Type:	URI
Source:	Mandate I/SubjectNameID^^^&1.2.40.0.10.2.1.1.149&ISO The bPK-GH Domain ID is added to the SubjectNameID of the Mandate I-Assertion
User subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the acting PERSON
Type:	String
Source:	Mandate I/urn:oasis:names:tc:xacml:1.0:subject:subject-id
Role of the User
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the role of the User, set as Vertreter eines ELGA-Teilnehmers
Type:	HL7v3 coded value
Source:	Mandate I/urn:oasis:names:tc:xacml:2.0:subject:role
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the Bürger to permissions
Type:	URI
Source:	Mandate I/urn:elga:bes:permission
Patient ID
FriendlyName:	XSPA patient id
Name:	urn:oasis:names:tc:xspa:1.0:resource:resource-id
Values:	Contains the patient identifier in CX format (LPID)
Type:	String
Source:	Z-PI/PixQuery/Domain to HomeCommunityID mapping (responding LPID)
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	MANDATE2
Type:	String
Source:	TokenIssuer Configuration MANDATE2
Area specific person identifier
FriendlyName:	Area specific person identifier
Name:	urn:elga:bes:2013:bPK-GH
Values:	Contains the bPK-GH of the patient in CX format.
Type	URI
Type	Z-PI/PixQuery/BPKDomain The Identifier oft he Pix Query response matching the configured BPKDomain is used for this value.
XCA Home Community ID
FriendlyName:	XCA Home Community ID
Name:	urn:ihe:iti:xca:2010:homeCommunityId
Values:	Contains the Community ID of the initiating community
Type:	URI
Source:	RST/Claims/urn:tiani-spirit:bes:2013:claims:calling-facade
XCA Responding Home Community ID
FriendlyName:	XCA Responding Home Community ID
Name:	urn:elga:bes:2013:rsp-community
Values:	Contains the Community ID of the responding community
Type:	URI
Source:	Z-PI/PixQuery/Domain to HomeCommunityID mapping (responding ZGF)
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded OID of the GDA from the GDA Index
Type:	URI
Source:	MandateI/urn:oasis:names:tc:xspa:1.0:subject:organization-id

Datenelemente: Mandate II-Assertion Attribute

eMed Treatment-Assertion

Eine eMed Transaktion einer GDA- oder Bereichssoftware an die ZGF, die eine eMedID Assertion im SOAP Security Header zusätzlich zur HCP Assertion mitführt, ist der Auslöser für die ZGF mittels WS Trust RST, um eine ELGA eMed Treatment-Assertion anzufragen.

Beim Ausstellen einer eMed Treatment-Assertion wird vom ETS keine Prüfung der Kontaktbestätigung durchgeführt.

Abbildung: eMed Treatment-Assertion

Assertion eMedTreatment.xml

Assertion: eMed Treatment-Assertion

Datenelemente eMed Treatment-Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	URN encoded unique identifier (UUID) of the assertion
@IssueInstant						R	time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	address URI that identifies the endpoint of the issuing service. For the eMed Treatment-Assertion, it is set as the URI representing the ETS
Subject						R
		NameID				R	Identifier of the sending facade. Source: RST/Claims/urn:tiani-spirit:bes:2013:claims:calling-facade
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	time instant from which the assertion is useable. It is set as the issue istant
	@NotOnOrAfter					R	time instant at which the assertion expires. Value is set to 5 minutes
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. It contains the value of the remote targets Bereich.
AuthnStatement						R
	@AuthnInstant					R	time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ETS, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	eMed Treatment identity attributes and permissions (Attribute der Treatment-Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the eMed Treatment-Assertion
Statement						R	A XACMLPolicyStatement,[SAMLv2.0 profile for XACMLv2.0] containing the selected policy.

Datenelemente: eMed Treatment-Assertion

Attribute der eMed Treatment-Assertion

HCP subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the physician
Type	String
Source:	HCP/urn:oasis:names:tc:xacml:1.0:subject:subject-id
Structural Role of the HCP
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the ELGA role of the GDA, coming from the GDA Index
Type	HL7v3 coded value
Source	HCP/urn:oasis:names:tc:xacml:2.0:subject:role
Permissions
FriendlyName:	Permissions
Name:	urn:elga:bes:permission
Values:	Contains a mapping from the ELGA role of the GDA or Bürger to a list of permissions
Type:	URI
Source:	HCP/urn:elga:bes:permission
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded OID of the GDA from the GDA Index
Type:	URI
Source:	HCP/urn:oasis:names:tc:xspa:1.0:subject:organization-id
Patient ID
FriendlyName:	XSPA patient id
Name:	urn:oasis:names:tc:xspa:1.0:resource:resource-id
Values:	Contains the patient identifier in CX format (bPK-GH for eMed)
Type:	String
Source:	Z-PI/PixQuery/Domain to eMed Community mapping (responding LPID) Only the bPK GH domain is used as possible destination (LPID) for eMed
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	EMED_ID
Type:	String
Source:	TokenIssuer Configuration EMED_ID
Area specific person identifier
FriendlyName:	Area specific person identifier
Name:	urn:elga:bes:2013:bPK-GH
Values:	Contains the bPK-GH of the patient in CX format.
Type:	URI
Source:	Z-PI/PixQuery/BPKDomain
XCA Home Community ID
FriendlyName:	XCA Home Community ID
Name:	urn:ihe:iti:xca:2010:homeCommunityId
Values:	Contains the Community ID of the initiating community
Type	URI
Source	RST/Claims/urn:tiani-spirit:bes:2013:claims:calling-facade
XCA Responding Home Community ID
FriendlyName:	XCA Responding Home Community ID
Name:	urn:elga:bes:2013:rsp-community
Values:	Contains the Community ID of the responding community (eMed)
Type	URI
Source	Configured eMed specific HomeCommunityID

Datenelemente: eMed Treatment-Assertion Attribute

Community Assertions

Es werden keine ELGA Treatment-Assertions, die bei der ZGF zu ZGF Kommunikation verwendet werden, an den ELGA Bereich weitergeleitet. Anstelle der ELGA Treatment-Assertions wird eine neue ELGA Community Assertion ausgestellt. Es werden Attribute aus dem "saml2:AttributeStatement" der Treatment-Assertion in die neu ausgestellte Community Assertion für den ELGA Bereich übernommen. Nicht mitübernommen wird unter anderem das "XACMLPolicyStatement", welches die Policies des ELGA Teilnehmers beinhaltet. Als "AudienceRestriction" wird der Endpunkt des angesprochenen Services des ELGA Bereichs eingesetzt. Als "saml2:Subject" wird die ZGF welche die Assertion ausstellt eingesetzt. Die Assertion wird im SOAP Security Header an den Bereich übergeben.

Abbildung: Community Assertion

Lokale ELGA Community Assertion:

Assertion LokalELGACommunity.xml

Assertion: Lokale ELGA Community Assertion

Datenelemente der Lokalen ELGA Community Assertion

Assertion Element						Opt	Usage Convention
@Version						R	MUST be "2.0"
@ID						R	SAML assertion identifier NCName encoded (see section 1.3.4 of [SAMLCORE])
@IssueInstant						R	Time instant of issuance in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
Issuer						R	Address URI that identifies the endpoint of the issuing service.
Subject						R
		NameID				R	"home community ID des ELGA Bereichs" Source: home community configuration value of the ZGF
					@Format	R	"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		SubjectConfirmation				R
				@Method		R	"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
				SubjectConfirmationData		X	Not present
Conditions						R
	@NotBefore					R	Time instant from which the assertion is useable. It is set as the issue instant
	@NotOnOrAfter					R	Time instant at which the assertion expires. Value is set to 5 minutes
	@AudienceRestriction					R	This element contains the list of Audiences, e.g., the contexts (services) for whom the STS issued the assertion. Contains the value of the endpoint that is contacted.
AuthnStatement						R
	@AuthnInstant					R	Time instant of authentication in UTC Format: yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'
	AuthnContext					R
			AuthnContextClassRef			R	Since the user has been already authenticated in a previous session (which may be unknown to the ZGF, given the BeS trust relationship assumptions), the value is set as urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
AttributeStatement						R	Local ELGA Community Assertion identity attributes (see: Attribute der Lokalen ELGA Community Assertion)
ds:Signature						R	Enveloped XML signature of the issuer of the Assertion (see: Assertion Signaturlayout)

Attribute der Lokalen ELGA Community Assertion

tr class="odd">

CommunityAssertion subject name
FriendlyName:	XSPA Subject
Name:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Values:	Human readable name of the XSPA Subject of the input assertion
Type:	String
Source:	Assertion usedAssertion = {"Treatment", "eMed Treatment", "User II", "Mandate II", "HCP"} value = [usedAssertion]/urn:oasis:names:tc:xacml:1.0:subject:subject-id
Structural Role of the CommunityAssertion
FriendlyName:	ELGA Rolle
Name:	urn:oasis:names:tc:xacml:2.0:subject:role
Values:	Contains the ELGA role of the input assertion
Type:	Hl7v3 coded value
Source:	Assertion usedAssertion = {"Treatment", "eMed Treatment", "User II", "Mandate II", "HCP"} value = [usedAssertion]/urn:oasis:names:tc:xacml:2.0:subject:role
Healthcare Professional Organisation ID
FriendlyName:	XSPA Organization Id
Name:	urn:oasis:names:tc:xspa:1.0:subject:organization-id
Values:	URN encoded XSPA Organization ID of the input assertion if available – not available for citizen access
Type:	URI
Source:	Assertion usedAssertion = {"Treatment", "eMed Treatment", "User II", "Mandate II", "HCP"} value = [usedAssertion]/urn:oasis:names:tc:xspa:1.0:subject:organization-id This value will be NULL if NO Treatment-Assertion but only the HCP is available
Purpose of Use
FriendlyName:	BeS Purpose of Use
Name:	urn:oasis:names:tc:xspa:1.0:subject:purposeofuse
Values:	LOCAL_REQUEST bei regulären Zugriffen über die ZGF. ZGF_CDD bei Zugriffen vom CDD.
Type:	String
Source:	TokenIssuer Configuration: LOCAL_REQUEST
ReOptIn DateTime
FriendlyName:	Last re OPT-IN date time of the patient
Name:	urn:elga:bes:2013:reOptInDate
Values:	Only available for eMed (PHARM and ITI-XX) transactions. The attribute will not exists if the patient did never perform re OPT-IN.
Type:	DateTime
Source:	TreatmentAssertion/XACMLPolicyStatementType/PolicySet specific service reOptInDate (contains the most recent date of reOptIn, serviceReOptIn or service deletion. The responding service is not allowed to return any data older than the passed reOptIn date.)
Area specific person identifier
FriendlyName:	Area specific person identifier
Name:	urn:elga:bes:2013:bPK-GH
Values:	Contains the bPK-GH of the patient in CX format.
Type	URI
Source	Assertion usedAssertion = {"Treatment", "eMed Treatment", "User II", "Mandate II", "HCP"} value = [usedAssertion]/urn:elga:bes:2013:bPK-GH This attribute will not exist if NO Treatment-Assertion but only the HCP is available
Area specific person identifier oft the acting Person
FriendlyName:	ACTING-PERSON-BPK-GH
Name:	urn:elga:bes:2013:acting:bPK-GH
Values:	Contains the bPK-GH of the acting person in CX format.
Type	URI
Source	Assertion usedAssertion = {"Treatment", "eMed Treatment", "User II", "Mandate II", "HCP"} value = [usedAssertion]/urn:elga:bes:2013:acting:bPK-GH This attribute will be NULL if NO Mandate* is used
ELGA Personal Role
FriendlyName:	ELGA Personal Role
Name:	urn:elga:bes:personal-role
Values:	Rolle der identifizierten Person laut: ELGA_GTelVoGDARollen - Austrian e-Health Terminology Browser mit dem parent Attribut „10 Teil1: Rollen für Personen“
Type	String
Source	ELGA Personal Role aus der NCPeH-Kontext-Assertion auf deren Basis die NCPeH-Kontext- Treatment-Assertion ausgestellt wurde

Datenelemente: Lokale ELGA Community Assertion