Non-Gateway+IDP+Issue

Context: There is a simplifying assumption to the NHIN security mechanisms that a NHIN Participant's gateway will server as the identify provider for that organization. Included in that assumption is the idea that the NHIN issued PKI certificate that an organization uses for mutual authentication would also be used for any message signing or encryption mechanism. However the expectation is that over time some NHIN Participants may choose to use a third party identity provider and thus potentially another PKI certificate (issued by a third party). In such cases the following considerations exist:


 * If a third-party IdP is used then the NHIN Participant should include a digital signature signed using the PKI cert of the IdP. The publicKey for that token should be included in with the digital signature in the SAML Header.
 * The usefulness of storing a NHIN Participants publickey is questionable as there is no way to differentiate between the key used for mutual authentication and one used of identity.