Cross-Enterprise Security and Privacy Authorization
Cross-Enterprise Security and Privacy AuthorizationInterop
Goal:•Demonstrate WS-Trust aspects of HITSP TP-20
•Demonstrate SAML aspects of HITSP TP-20
•Satisfy XSPA Use Cases
•Produce real-time outputs of request/responses
Assumptions:•Access control decision in consumer security domain is black boxed
•Single XACML Policy Decision Point is made available to all participants for testing
•Code is made available to vendors to create on-site test beds
•Clinical data repository and services available in San Diego•Clinical data repository and services available in San Diego
Vendor Participation:•Slides identify components and vendor points to plug-in
•Vendors can chose to host all with exception of clinical repository and services
VA Delivered Components:•Test clients and services
•Security Admin console – Patient Consent Directives, Object/Action pairings, required Permissions, and
purpose of use
•Lite Electronic Health Record Application
•Simplistic tests to validate configurations
•Use Cases
•XACML Policies
Cross-Enterprise Security and Privacy AuthorizationInterop
SAML v2.0SAML v2.0
Cross-Enterprise Security and Privacy Authorization
Service User
IDP
Subject
Organization
Location
ASTM 1986 Role
Service ProviderXSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
SAML v2.0 InteropCoarse Grain Access Control Validation
XACML Components are not included
in this test of WS-Trust
Simple Patient Lookup – Only ASTM 1986 Role is Required
ACS
Service User Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPASAMLInteropClient XSPASAMLInteropOne
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientList(“smith”,””,<endpoint>)
getPatients(“smith”,””,<endpoint>)
Physician
Exec: Test Client.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component OriginACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)
Cross-Enterprise Security and Privacy Authorization
Service User
IDP
Subject
Organization
Location
ASTM 1986 Role
Service ProviderPhysician
XSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
SAML v2.0 InteropFine Grain Access Control Validation
Service
Permission
Requirements
Simple Patient Lookup – Permission Requirements Enforced
Action/Object Pairing
Permission Admin Interface
ACS
Service User
HL7 Permission
Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPASAMLInteropClient XSPASAMLInteropTwo
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientList(“smith”,””,<endpoint>)
getPatients(“smith”,””,<endpoint>)
Physician
PRD-006
Exec: Test Client2.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component Origin
Application asserts
<subject:purposeofuse>
ACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)
ACS
Cross-Enterprise Security and Privacy Authorization
Service User
IDP
Subject
Organization
Location
ASTM 1986 Role
Service ProviderPhysician
XSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
SAML v2.0 InteropFine Grain Access Control Validation
Service
Perm
Reqmts
Simple Patient Lookup – Permissions Enforced, Patient Consent Directives Enforced
(SAML Version of simplistic Patient Authorization)
Action/Object
Pairing
Permission Admin
Interface
Patient
Opt-In/
Opt-Out
Patient
Elections
Interface
Opt-In results thru creation of patient elections
Service User
HL7 Permission
Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPASAMLInteropClient XSPASAMLInteropThree
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientList(“smith”,””,<endpoint>)
getPatients(“smith”,””,<endpoint>)
Physician
PRD-006
Exec: Test Client3.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component Origin
Application asserts
<subject:purposeofuse>
ACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)
ACS
Cross-Enterprise Security and Privacy Authorization
Service User
IDP
Subject
Organization
Location
ASTM 1986 Role
Service ProviderPhysician
XSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
SAML v2.0 InteropFine Grain Access Control Validation
Service
Perm
Reqmts
Get Medical Record Request – Permissions Enforced, Patient Consent Directives Enforced
Action/Object
Pairing
Permission Admin
Interface
PurposeOfUse,
Action/
Object
Constraints
Patient
Elections
Interface
Service User
HL7 Permission
Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPASAMLInteropClient XSPASAMLInteropFour
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientMedicalRecord(“100000”,<endpoint>)
getPatientMedicalRecord(“100000”,<endpoint>)
Physician
PRD-003
PRD-005
PRD-006
PRD-009
PRD-010
PRD-012
PRD-017
Exec: Test Client4.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component Origin
Application asserts
<subject:functionalrole>
<subject:purposeofuse>
<resource:resourceid>
<resource:type>
<resource:action>
Return ~C32 Document
For display
ACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)
Cross-Enterprise Security and Privacy AuthorizationInterop
WS-TrustWS-Trust
ACS
Cross-Enterprise Security and Privacy Authorization
Service User
IDP STS
Subject
Organization
Location
ASTM 1986 Role
Service Provider
STS
XSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
WS-Trust InteropCoarse Grain Access Control Validation
XACML Components are not included
in this test of WS-Trust
Simple Patient Lookup – Only ASTM 1986 Role is Required
Service User Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPAInteropClient XSPAInteropOne
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientList(“smith”,””,<endpoint>)
getPatients(“smith”,””,<endpoint>)
Physician
Exec: Test Client.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component OriginACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)
ACS
Cross-Enterprise Security and Privacy Authorization
Service User
IDP STS
Subject
Organization
Location
ASTM 1986 Role
Service Provider
STS
Physician
XSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
WS-Trust InteropFine Grain Access Control Validation
Service
Permission
Requirements
Simple Patient Lookup – Permission Requirements Enforced
Action/Object Pairing
Permission Admin Interface
Service User
HL7 Permission
Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPAInteropClient XSPAInteropTwo
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientList(“smith”,””,<endpoint>)
getPatients(“smith”,””,<endpoint>)
Physician
PRD-006
Exec: Test Client2.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component Origin
Application asserts
<subject:purposeofuse>
ACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)
ACS
Cross-Enterprise Security and Privacy Authorization
Service User
IDP STS
Subject
Organization
Location
ASTM 1986 Role
Service Provider
STS
Physician
XSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
WS-Trust InteropFine Grain Access Control Validation
Service
Perm
Reqmts
Simple Patient Lookup – Permissions Enforced, Patient Consent Directives Enforced
(WS-Trust Version of simplistic Patient Authorization)
Action/Object
Pairing
Permission Admin
Interface
Patient
Opt-In/
Opt-Out
Patient
Elections
Interface
Opt-In results thru creation of patient elections
Service User
HL7 Permission
Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPAInteropClient XSPAInteropThree
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientList(“smith”,””,<endpoint>)
getPatients(“smith”,””,<endpoint>)
Physician
PRD-006
Exec: Test Client3.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component Origin
Application asserts
<subject:purposeofuse>
ACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)
ACS
Cross-Enterprise Security and Privacy Authorization
Service User
IDP STS
Subject
Organization
Location
ASTM 1986 Role
Service Provider
STS
Physician
XSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
WS-Trust InteropFine Grain Access Control Validation
Service
Perm
Reqmts
Get Medical Record Request – Permissions Enforced, Patient Consent Directives Enforced
Action/Object
Pairing
Permission Admin
Interface
PurposeOfUse,
Action/
Object
Constraints
Patient
Elections
Interface
Service User
HL7 Permission
Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPAInteropClient XSPAInteropFour
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientMedicalRecord(“100000”,<endpoint>)
getPatientMedicalRecord(“100000”,<endpoint>)
Physician
PRD-003
PRD-005
PRD-006
PRD-009
PRD-010
PRD-012
PRD-017
Exec: Test Client4.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component Origin
Application asserts
<subject:functionalrole>
<subject:purposeofuse>
<resource:resourceid>
<resource:type>
<resource:action>
Return ~C32 Document
For display
ACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)
ACS
Cross-Enterprise Security and Privacy Authorization
Service User
IDP STS
Subject
Organization
Location
ASTM 1986 Role
Service Provider
STS
Physician
XSPAPolicyEnforcement
PIP
Policy Decision Point
PAP
OpenSSO brokers
Xacml Request
WS-Trust InteropFine Grain Access Control Validation
Service
Perm
Reqmts
Multi-Party Authorization Request – Access Requires Additional Claim
Action/Object
Pairing
Permission Admin
Interface
PurposeOfUse,
Action/
Object
Constraints
Patient
Elections
Interface
STS
Healthcare Organization
Security Domain 3
Third Party Claim
(Medical License Authority)Patient Constraint Permits
Service User
HL7 Permission
Service Provider
Healthcare Organization
Security Domain 1
Healthcare Organization
Security Domain 2
XSPAInteropClient XSPAInteropFive
ICDBPatientWSClient
Domain 2
Health Information System and Services
Demo’d at RSA2008 and Ditton Manor
(Existing VM Slice and Web Services)
Clinical Data Repository(ICDBServices)
getPatientMedicalRecord(“100000”,<endpoint>)
getPatientMedicalRecord(“100000”,<endpoint>)
Physician
PRD-003
PRD-005
PRD-006
PRD-009
PRD-010
PRD-012
PRD-017
Exec: Test Client5.java
Local or Remote
Vendor Provided
VA Provided
VA Provided
Component Origin
Application asserts
<subject:functionalrole>
<subject:purposeofuse>
<resource:resourceid>
<resource:type>
<resource:action>
Return ~C32 Document
For display
ACS – Access Control System
STS – Security Token Service
PIP – Policy Information Point
PAP – Policy Administration Point
IDP – Indentify Provider (Subject Attributes)