This diagram shows a typical implementation of an EHR (in white) accessing an HIE based XDS Registry (in black). The XUA Profile provides the orange functionality: X-Identity Provider creates the SAML Assertion given the User Authentication identity and EHR security context, the X-Service User inserts this SAML Assertion into the normal XDS Query Transaction, and on the XDS Registry the X-Service User (not shown) uses the SAML identity and includes that identity in the Audit log.
The XUA profile is a very thin profile that simply indicates that the SAML 2.0 standard includes a specification for an identity Assertion. These SAML Assertions are self-contained XML objects that can contain claims about the identity, attributes about the identity, and claims about the context.
The XUA profile has had a few additional use-cases added to it as named options.
- User Role -- To support Role Based Access Control
- Consent / Authorization -- To support use-cases where the requesting party has explicit consent that they want to point at to assist the service
- Purpose Of Use -- Carry an indicator of what the reason for the transaction is and what will be done with the result
- Status: Final Text
- IHE ITI Technical Framework
- Vol 1: Section 13
- Vol 2b: Section 3.40
- Standards Used
XUA - Very thin profile that simply says to use SAML Identity Assertions for authenticating users on Cross-Enterprise transactions
- This is the solution for the space where Kerberos doesn't work well, yet WS-Trust can be used to create a SAML assertion based on a Kerberos authentication
- SAML is both a standard for an XML way to describe a user and provide trust mechanisms of that data; and also a protocol. The protocol is not part of the XUA profile. It is ok, but not as important as the assertion
- WS-Trust is more commonly used to get and manipulate SAML Assertions.
- There is also good reason for a product that does its own user authentication to simply create SAML assertions w/o protocol
- See - Federated ID is not a universal IDand IHE ITI XUA++ - Trial Implementation and Separation of Layers: Security Error Codes and Healthcare Access Controls standards landscape
- Introduction to IHE impact on Meaningful Use
- IHE - Privacy and Security Profiles - Introduction
- IHE - Privacy and Security Profiles - Consistent Time
- IHE - Privacy and Security Profiles - Audit Trail and Node Authentication
- IHE - Privacy and Security Profiles - Enterprise User Authentication
- This Page
- IHE - Privacy and Security Profiles - Document Digital Signature
- IHE - Privacy and Security Profiles - Basic Patient Privacy Consents
- IHE - Privacy and Security Profiles - Document Encryption
- IHE - Privacy and Security Profiles - Access Control
- IHE - Privacy and Security Profiles - Miscellaneous
- IHE - Privacy and Security Profiles - Conclusion