+ All Categories
Home > Documents > Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement...

Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement...

Date post: 22-Jan-2021
Category:

Documents
Upload: others
View: 1 times
Download: 0 times
Download Report this document
Share this document with a friend
13
Cross-Enterprise Security and Privacy Authorization
Transcript
Page 1: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

Cross-Enterprise Security and Privacy Authorization

Page 2: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

Cross-Enterprise Security and Privacy AuthorizationInterop

Goal:•Demonstrate WS-Trust aspects of HITSP TP-20

•Demonstrate SAML aspects of HITSP TP-20

•Satisfy XSPA Use Cases

•Produce real-time outputs of request/responses

Assumptions:•Access control decision in consumer security domain is black boxed

•Single XACML Policy Decision Point is made available to all participants for testing

•Code is made available to vendors to create on-site test beds

•Clinical data repository and services available in San Diego•Clinical data repository and services available in San Diego

Vendor Participation:•Slides identify components and vendor points to plug-in

•Vendors can chose to host all with exception of clinical repository and services

VA Delivered Components:•Test clients and services

•Security Admin console – Patient Consent Directives, Object/Action pairings, required Permissions, and

purpose of use

•Lite Electronic Health Record Application

•Simplistic tests to validate configurations

•Use Cases

•XACML Policies

Page 3: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

Cross-Enterprise Security and Privacy AuthorizationInterop

SAML v2.0SAML v2.0

Page 4: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

Cross-Enterprise Security and Privacy Authorization

Service User

IDP

Subject

Organization

Location

ASTM 1986 Role

Service ProviderXSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

SAML v2.0 InteropCoarse Grain Access Control Validation

XACML Components are not included

in this test of WS-Trust

Simple Patient Lookup – Only ASTM 1986 Role is Required

ACS

Service User Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPASAMLInteropClient XSPASAMLInteropOne

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientList(“smith”,””,<endpoint>)

getPatients(“smith”,””,<endpoint>)

Physician

Exec: Test Client.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component OriginACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)

Page 5: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

Cross-Enterprise Security and Privacy Authorization

Service User

IDP

Subject

Organization

Location

ASTM 1986 Role

Service ProviderPhysician

XSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

SAML v2.0 InteropFine Grain Access Control Validation

Service

Permission

Requirements

Simple Patient Lookup – Permission Requirements Enforced

Action/Object Pairing

Permission Admin Interface

ACS

Service User

HL7 Permission

Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPASAMLInteropClient XSPASAMLInteropTwo

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientList(“smith”,””,<endpoint>)

getPatients(“smith”,””,<endpoint>)

Physician

PRD-006

Exec: Test Client2.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component Origin

Application asserts

<subject:purposeofuse>

ACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)

Page 6: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

ACS

Cross-Enterprise Security and Privacy Authorization

Service User

IDP

Subject

Organization

Location

ASTM 1986 Role

Service ProviderPhysician

XSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

SAML v2.0 InteropFine Grain Access Control Validation

Service

Perm

Reqmts

Simple Patient Lookup – Permissions Enforced, Patient Consent Directives Enforced

(SAML Version of simplistic Patient Authorization)

Action/Object

Pairing

Permission Admin

Interface

Patient

Opt-In/

Opt-Out

Patient

Elections

Interface

Opt-In results thru creation of patient elections

Service User

HL7 Permission

Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPASAMLInteropClient XSPASAMLInteropThree

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientList(“smith”,””,<endpoint>)

getPatients(“smith”,””,<endpoint>)

Physician

PRD-006

Exec: Test Client3.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component Origin

Application asserts

<subject:purposeofuse>

ACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)

Page 7: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

ACS

Cross-Enterprise Security and Privacy Authorization

Service User

IDP

Subject

Organization

Location

ASTM 1986 Role

Service ProviderPhysician

XSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

SAML v2.0 InteropFine Grain Access Control Validation

Service

Perm

Reqmts

Get Medical Record Request – Permissions Enforced, Patient Consent Directives Enforced

Action/Object

Pairing

Permission Admin

Interface

PurposeOfUse,

Action/

Object

Constraints

Patient

Elections

Interface

Service User

HL7 Permission

Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPASAMLInteropClient XSPASAMLInteropFour

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientMedicalRecord(“100000”,<endpoint>)

getPatientMedicalRecord(“100000”,<endpoint>)

Physician

PRD-003

PRD-005

PRD-006

PRD-009

PRD-010

PRD-012

PRD-017

Exec: Test Client4.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component Origin

Application asserts

<subject:functionalrole>

<subject:purposeofuse>

<resource:resourceid>

<resource:type>

<resource:action>

Return ~C32 Document

For display

ACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)

Page 8: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

Cross-Enterprise Security and Privacy AuthorizationInterop

WS-TrustWS-Trust

Page 9: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

ACS

Cross-Enterprise Security and Privacy Authorization

Service User

IDP STS

Subject

Organization

Location

ASTM 1986 Role

Service Provider

STS

XSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

WS-Trust InteropCoarse Grain Access Control Validation

XACML Components are not included

in this test of WS-Trust

Simple Patient Lookup – Only ASTM 1986 Role is Required

Service User Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPAInteropClient XSPAInteropOne

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientList(“smith”,””,<endpoint>)

getPatients(“smith”,””,<endpoint>)

Physician

Exec: Test Client.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component OriginACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)

Page 10: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

ACS

Cross-Enterprise Security and Privacy Authorization

Service User

IDP STS

Subject

Organization

Location

ASTM 1986 Role

Service Provider

STS

Physician

XSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

WS-Trust InteropFine Grain Access Control Validation

Service

Permission

Requirements

Simple Patient Lookup – Permission Requirements Enforced

Action/Object Pairing

Permission Admin Interface

Service User

HL7 Permission

Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPAInteropClient XSPAInteropTwo

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientList(“smith”,””,<endpoint>)

getPatients(“smith”,””,<endpoint>)

Physician

PRD-006

Exec: Test Client2.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component Origin

Application asserts

<subject:purposeofuse>

ACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)

Page 11: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

ACS

Cross-Enterprise Security and Privacy Authorization

Service User

IDP STS

Subject

Organization

Location

ASTM 1986 Role

Service Provider

STS

Physician

XSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

WS-Trust InteropFine Grain Access Control Validation

Service

Perm

Reqmts

Simple Patient Lookup – Permissions Enforced, Patient Consent Directives Enforced

(WS-Trust Version of simplistic Patient Authorization)

Action/Object

Pairing

Permission Admin

Interface

Patient

Opt-In/

Opt-Out

Patient

Elections

Interface

Opt-In results thru creation of patient elections

Service User

HL7 Permission

Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPAInteropClient XSPAInteropThree

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientList(“smith”,””,<endpoint>)

getPatients(“smith”,””,<endpoint>)

Physician

PRD-006

Exec: Test Client3.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component Origin

Application asserts

<subject:purposeofuse>

ACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)

Page 12: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

ACS

Cross-Enterprise Security and Privacy Authorization

Service User

IDP STS

Subject

Organization

Location

ASTM 1986 Role

Service Provider

STS

Physician

XSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

WS-Trust InteropFine Grain Access Control Validation

Service

Perm

Reqmts

Get Medical Record Request – Permissions Enforced, Patient Consent Directives Enforced

Action/Object

Pairing

Permission Admin

Interface

PurposeOfUse,

Action/

Object

Constraints

Patient

Elections

Interface

Service User

HL7 Permission

Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPAInteropClient XSPAInteropFour

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientMedicalRecord(“100000”,<endpoint>)

getPatientMedicalRecord(“100000”,<endpoint>)

Physician

PRD-003

PRD-005

PRD-006

PRD-009

PRD-010

PRD-012

PRD-017

Exec: Test Client4.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component Origin

Application asserts

<subject:functionalrole>

<subject:purposeofuse>

<resource:resourceid>

<resource:type>

<resource:action>

Return ~C32 Document

For display

ACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)

Page 13: Cross-Enterprise Security and Privacy Authorization · 2008. 10. 27. · STS XSPAPolicyEnforcement PIP Policy Decision Point PAP OpenSSObrokers XacmlRequest WS-Trust Interop Coarse

ACS

Cross-Enterprise Security and Privacy Authorization

Service User

IDP STS

Subject

Organization

Location

ASTM 1986 Role

Service Provider

STS

Physician

XSPAPolicyEnforcement

PIP

Policy Decision Point

PAP

OpenSSO brokers

Xacml Request

WS-Trust InteropFine Grain Access Control Validation

Service

Perm

Reqmts

Multi-Party Authorization Request – Access Requires Additional Claim

Action/Object

Pairing

Permission Admin

Interface

PurposeOfUse,

Action/

Object

Constraints

Patient

Elections

Interface

STS

Healthcare Organization

Security Domain 3

Third Party Claim

(Medical License Authority)Patient Constraint Permits

Service User

HL7 Permission

Service Provider

Healthcare Organization

Security Domain 1

Healthcare Organization

Security Domain 2

XSPAInteropClient XSPAInteropFive

ICDBPatientWSClient

Domain 2

Health Information System and Services

Demo’d at RSA2008 and Ditton Manor

(Existing VM Slice and Web Services)

Clinical Data Repository(ICDBServices)

getPatientMedicalRecord(“100000”,<endpoint>)

getPatientMedicalRecord(“100000”,<endpoint>)

Physician

PRD-003

PRD-005

PRD-006

PRD-009

PRD-010

PRD-012

PRD-017

Exec: Test Client5.java

Local or Remote

Vendor Provided

VA Provided

VA Provided

Component Origin

Application asserts

<subject:functionalrole>

<subject:purposeofuse>

<resource:resourceid>

<resource:type>

<resource:action>

Return ~C32 Document

For display

ACS – Access Control System

STS – Security Token Service

PIP – Policy Information Point

PAP – Policy Administration Point

IDP – Indentify Provider (Subject Attributes)


Recommended
SmartPlant Interop Publisher

SmartPlant Interop Publisher

Documents

Interop metadata tony

Interop metadata tony

Education

Emulex Interop 2010 Keynote

Emulex Interop 2010 Keynote

Technology

NAESB Smart Grid Task Force PAP 09 Update Taskforce Co-Chairs: – Robert B. Burke – Wayne Longcore – Brent Hodges – Joe Zhou 1 Grid-Interop 2009.

NAESB Smart Grid Task Force PAP 09 Update Taskforce Co-Chairs: – Robert B. Burke – Wayne Longcore – Brent Hodges – Joe Zhou 1 Grid-Interop 2009.

Documents

Failure Happens Interop Nyc

Failure Happens Interop Nyc

Technology

CIS13: SCIM Interop

CIS13: SCIM Interop

Technology

Interop: Spidercloud

Interop: Spidercloud

Technology

Pip! Pip! Meaning Beyond Noise

Pip! Pip! Meaning Beyond Noise

Documents

AuthZ Interop report out

AuthZ Interop report out

Documents

A Unified Framework for Enterprise Integration An Ontology-Driven ...interop-esa05.unige.ch/INTEROP/Proceedings/Interop-ESAScientific... · This will notably make integration simpler

A Unified Framework for Enterprise Integration An Ontology-Driven ...interop-esa05.unige.ch/INTEROP/Proceedings/Interop-ESAScientific... · This will notably make integration simpler

Documents

INF526: Secure Systems Administrationusing the .htaccess file. • PEP: • PDP: • PAP: • PIP: 3. Appliance Firewall For each of the systems described below, use your best explanation

INF526: Secure Systems Administrationusing the .htaccess file. • PEP: • PDP: • PAP: • PIP: 3. Appliance Firewall For each of the systems described below, use your best explanation

Documents

Interoperability Requirements (INTEROP) · D03 - Interoperability Requirements (INTEROP) Edition: 00.00.02 5 of 18 1 Introduction 1.1 Purpose of the document This is the INTEROP Step

Interoperability Requirements (INTEROP) · D03 - Interoperability Requirements (INTEROP) Edition: 00.00.02 5 of 18 1 Introduction 1.1 Purpose of the document This is the INTEROP Step

Documents

Interop Mumbai Presentation

Interop Mumbai Presentation

Technology

Development of an Integrated Retrieval System on ...interop-esa05.unige.ch/INTEROP/Proceedings/Interop-ESAScientific...Development of an Integrated Retrieval System on Distributed

Development of an Integrated Retrieval System on ...interop-esa05.unige.ch/INTEROP/Proceedings/Interop-ESAScientific...Development of an Integrated Retrieval System on Distributed

Documents

Swift Objective-C Interop

Swift Objective-C Interop

Software

Remote Conformance & Interop Testing · 2017. 9. 15. · 1 - F-Interop Info Session IETF96 Berlin, 18th July 2016 Remote Conformance & Interop Testing . Info Session – IETF96 –

Remote Conformance & Interop Testing · 2017. 9. 15. · 1 - F-Interop Info Session IETF96 Berlin, 18th July 2016 Remote Conformance & Interop Testing . Info Session – IETF96 –

Documents

Semantic interop-live

Semantic interop-live

Education

Remote Conformance & Interop Testing F-Interop€¦ · 22/09/2016  · 1 - TPAC2016 – WoT IG Meeting, 22nd September 2016 Remote Conformance & Interop Testing 1 F-Interop Online

Remote Conformance & Interop Testing F-Interop€¦ · 22/09/2016  · 1 - TPAC2016 – WoT IG Meeting, 22nd September 2016 Remote Conformance & Interop Testing 1 F-Interop Online

Documents