70 likes | 145 Vues
Cross-Enterprise User Authentication Year 2 March 16, 2006. John F. Moehrke GE Healthcare IT Infrastructure Technical Committee. Cross-Enterprise User Authentication Value Proposition. Extend User Identity to Affinity Domain Users include Providers, Patients, Clerical, etc
E N D
Cross-Enterprise User Authentication Year 2 March 16, 2006 John F. Moehrke GE Healthcare IT Infrastructure Technical Committee
Cross-Enterprise User AuthenticationValue Proposition • Extend User Identity to Affinity Domain • Users include Providers, Patients, Clerical, etc • Must supports cross-enterprise transactions, can be used inside enterprise • Distributed or Centralized. • Provide information necessary so that receiving actors can make Access Control decisions • Does not include Access Control mechanism • Provide information necessary so that receiving actors can produce detailed and accurate Security Audit Trail ITI Technical Committee
XUA – Circle of Trust (e.g. XDS Affinity Domain) XDS Patient ID Source Key: Original Transaction XUA modification Use-Case number ‘n’ St. Johns Auth Prov ID Prov n 1a HL7 v2 XDS Registry 0a 1b User auth HL7 v3 North Clinic Internal Exported Radiologist Reporting 4 XDS Query Auth Prov ID Prov 5 XDS Register 3 2a XDS Provide & Register 0b XDS Repository 6 Any DICOM XDS Retrieve Family Doctor PACS 2b Any DICOM LAB RID (Browser) 7 ITI Technical Committee
Open Issues • XUA: Need all transactions where XUA is needed to support one method • XDS-Retrieve new option using Web-Services? • Provide/Register continues to not include XUA? • Query with XUA only with new stored query? • DICOM • DICOM standard support for SAML not yet done. • WADO: Not clear how to solve. Currently recommend Browser profile • PIX/PDQ • There is still times when user is not relevant, thus HL7 v2 is not invalid • Solution that doesn’t use SAML (Simple text user identity)? • What is the risk we are trying to mitigate? • Are the overrides appropriate mitigation vs the risk? • Assertion content (e.g. Specific attributes)? • Could include PWP attributes. • Likely need PWP updated first with clinical attributes from ISO. • Patient vs. Provider? Do we have specific attributes that are required of patients? • What do we do when the Service User is not a ‘service’? • Continue to utilize ATNA: TLS: Certificates? • Utilize SAML’s ability to assert a service identity? • Possibly do this in an appendix • Policy: The clinical user that is typically identified in the transaction is not likely to be a clinical user but rather a clerical individual. • Future could leverage SAML delegation as that mechanism matures • Actor/Transaction • The actor and transaction layout for Browser SSO is different from the one we want to use for Web-Services/DICOM ITI Technical Committee
Recommendation • Browsers – SAML v2.0 SSO and ECP profile (as is currently written) • DICOM – SAML v2.0 Assertions encoded using DICOM user identity mechanism (currently in progress in DICOM) • HL7 v2 – NOT SUPPORTED • HL7 v3 – Supported when bound to Web-Services • Web-Services – Next version of WS-I Basic Security Profile that includes WS-SX standard ITI Technical Committee
Cross-Enterprise User Authentication Three Year Plan • 2005: defined the use-cases and identified standards gaps • Profiled solution for Browser sessions • Profiled solution for HL7 v2 (should we remove?) • 2006: Set the stage (Work on non Web-Services parts) • Encourage XDS-Retrieve using Web-Service • Encourage XDS-Stored Query using Web-Services • Encourage PIX/PDQ with HL7 V3 using Web-Services • Update PWP with ASTM and ISO attributes so they can be available in SAML • Define attribute so that clinician, clerical, and patient are properly identified • Define SAML Assertion content, assurance levels. • Appendix to describe solution when ‘Service User’ is a ‘Service’ • Late 2006: support Web-Services transactions • Endorse: WS-Security, WS-SX, WS-I Basic Security Profile. • 2007: add other transactions • Profile DICOM transactions. ITI Technical Committee
Meetings / Tcon • Update usecases, and Actor/Transaction layout. Add of Patient as user. Add of ‘service’ as user comment. • April 17 at 11:30 – 1:30 Central • Work on Assertion content requirements. Work on PWP integration of ISO dataset, talk about Patient • May 15 at 11:30 – 1:30 Central • Build section on Web-Services. Likely will duplicate much of what we expect in WS-I ITI Technical Committee