Auth+subject-id+Research

Please contribute your comments via the discussion tab above. Outcomes and resolution will be added at the bottom of this page.

Missing subject-id in SAML Attribute Statement
While running through conformance testing for VLER, the NHIN Test Team has found that 3 out of 4 VLER pilot participants have omitted the subject-id attribute in the SAML Attribute Statement. Section 3.3.2.1 of the NHIN Authorization Framework specification is contained below. The NHIN and underlying OASIS XSPA spec lists subject-id as a required attribute. Section 2.12.1 of XSPA states that "Name is the name of the user as required by HIPAA Privacy Disclosure Accounting. The name will be typed as a string and in plain text..."

> **Subject ID Attribute** > This  element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:subject-id”. The name of the user as required by HIPAA Privacy Disclosure Accounting shall be placed in the value of the  element. (Keep in mind that the term “subject” in SAML and XACML refers to the individual making the request; in this specification, the term “User” is generally used with the same meaning, but when referring to attributes defined in SAML or XACML, the naming convention of the standard is retained.) > An example of the syntax of this element is as follows:

> Name ="urn:oasis:names:tc:xspa:1.0:subject:subject-id"> > Walter H.Brattain IV >  > The NHIN Trial Implementation “UserName” attribute has been replaced by the Subject ID attribute defined in this section. Spec Factory SMEs are asked to review and consider this issue and to make a recommendation as to its severity and actions the NHIN Coordinating Committee should take.

If the requesting (IdP) organization can provide a lookup function for converting the SAML subject identity to the descriptive name, then this should not be mandatory. Making this mandatory for each transaction adds additional overhead to the requesting transaction.
 * [[image:http://www.wikispaces.com/user/pic/1272057848/John.Moehrke-lg.jpg width="48" height="48" caption="John.Moehrke" link="http://www.wikispaces.com/user/view/John.Moehrke"]] || [|John.Moehrke]

It is also not completely clear that HIPAA mandates a descriptive name of the individual that the data was disclosed to. The HIPAA Accounting of Disclosures indicates a need for the "Name". It is not clear what "Name" means. [|[delete]] || =Spec Factory Feedback=

0 row selected - rows selected - [|clear] || John.Moehrke Yesterday 10:53 pm
 * ~ 1 - 1 of 1
 * [[image:http://www.wikispaces.com/i/user_none_lg.jpg width="48" height="48" caption="RichKernan" link="http://www.wikispaces.com/user/view/RichKernan"]] || [|RichKernan]

If the requesting (IdP) organization can provide a lookup function for converting the SAML subject identity to the descriptive name, then this should not be mandatory. Making this mandatory for each transaction adds additional overhead to the requesting transaction.

It is also not completely clear that HIPAA mandates a descriptive name of the individual that the data was disclosed to. The HIPAA Accounting of Disclosures indicates a need for the "Name". It is not clear what "Name" means. || Eric Heflin: 2011-04-18 This is being tracked as issue #42 in the Google Docs issue tracker spreadsheet. Please see that link for the current status of this issue.