Authorization+Framework+Page+4

= 4 Error Handling = No additional faults are specified beyond the basic SOAP faults as identified in the NHIN Messaging Platform Service Interface Specification. = 5 Auditing = See each NHIN service specification for specification-specific audit events.

Appendix A: SAML Assertion Rules
1. Each NHIN Request shall have a  element which contains the entire SAML token. This is per the Web Services Security: SAML Token Profile 1.1 specification. Also as per the spec the  tags should also be present after the saml:Assertion. 2. Each NHIN Request shall have a saml:Assertion element containing child elements saml:Issuer, saml:Subject, saml:AuthnStatement, and saml:AttributeStatement. (No saml:Assertion element is required on a response to a NHIN Request.) 3. The saml:Issuer element shall identify the individual responsible for issuing the Assertions carried in the message. This is normally the system security officer for the sending NHIO. 4. The saml:Issuer element may use any of the Name Identifier Formats defined in Section 8.3 of the SAML 2.0 Specification 5. The saml:Subject element shall identify the individual issuing the request -- the "end user". The saml:Subject element may use only the Name Identifier Formats for “X509SubjectName” and “emailAddress”. 6. The saml:AuthnStatement shall contain one saml:AuthnContextClassRef element identifying the method by which the subject was authenticated. Other optional elements of saml:AuthnStatement may also be included. 7. The saml:AttributeStatement shall contain six Attributes: Subject ID, Subject Organization, Subject Role, Purpose of Use, Home Community ID, and Organization ID. 8. The value on the Subject ID and Subject Organization attributes shall be a plain text description of the user's name (not user ID) and organization, respectively. These are primarily intended to support auditing. 9. The value of the Role attribute shall be a urn:hl7-org:v3:CE element, specifying the coded value representing the issuing user's role, choosing from the value set listed in the specification. The codeSystem attribute of this element must be present, and must specify the OID of the SNOMED CT code system, 2.16.840.1.113883.6.96 10. The value of the Purpose of Use attribute shall be a urn:hl7-org:v3:CE element, specifying the coded value representing the user's purpose in issuing the request, choosing from the value set listed in this specification. The codeSystem attribute of this element must be present, and must specify the OID of the "Purpose of Use" code system created by the NHIN Cooperative, 2.16.840.1.113883.3.18.7.1. 11. The value of the Patient Identifier attribute MUST be specified when the InstanceAccessConsentPolicy attribute is specified in an Authorization Decision Statement. **Previous Page - Home Page**