All,
By way of introduction, I’m the current Chair of the NHIN Exchange Security
and Privacy Workgroup. My group has been asked to clarify the following
SAML issue.
As you may be aware, the Nationwide Health Information Network (NHIN)
Exchange project has adopted the OASIS SAML 2.0 standard. A question
has been brought forth regarding an apparently ambiguous statement in
the SAML Core 2.0 specification found at
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.
Prior to asking this question, several of us did extensive research
including re-reading every line of the standard, reviewing the mailing
list archive, and looking for non-normative clarifying statements from
OASIS. Finding none, we are reaching out to you for clarification.
Please note: This is not a theoretical issue: Two organizations have
implemented the relevant logic in two different (and incompatible) ways.
(I’ve set up a page on the NHIN Exchange Wiki with more info, if needed.)
Issue: In the SAML Core standard, lines 1167-1168 state "Assertions
containing {{<AttributeStatement>}} elements MUST contain a {{<Subject>}}
element".
Interpretation A (Only one <Subject> element is required): One
interpretation is that a SAML Assertion with an <AttributeStatement>
element does not need a <Subject> element -inside- any child <Assertion>
elements containing the <AttributeStatement>, but that such a SAML
Assertion does require a <Subject> element at the root <Assertion>/<Subject>
level.
Example:
<Assertion>
<Subject> <!-- required -->
<AttributeStatement>
... <!-- this attribute is describing the root <Assertion>/<Subject> element -->
</AttributeStatement>
<AuthzDecisionStatement>
<Evidence>
<Assertion>
<!-- Does not contain a subject, because there is one in the
encompassing assertion and this assertion is about the same subject ->
<AttributeStatement>
...
Interpretation B (Embedded <Subject> elements are required) Another
interpretation is that a nested (non-root) SAML Assertion with an <AttributeStatement>
must have a <Subject> element -inside- the <Assertion> element which
is the immediate parent of the <AttributeStatement>, even though the
subject has been already specified inside the root <Assertion>.
Example:
<Assertion>
<Subject> <!-- required -->
<AttributeStatement>
... <!-- this attribute is describing the root <Assertion>/<Subject> element -->
</AttributeStatement>
<AuthzDecisionStatement>
<Evidence>
<Assertion>
<Subject> <!-- Must contain a subject, even though it is the same as the one above ->
<AttributeStatement>
...
Below is a complete document sampled from a test environment. This message is consistent with
interpretation A. Note the formatting and comments are mine.
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
<S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing">https://nhindev.ochin.org/interconnect-dev-ce/wcf/epic.community.hie/xcpdrespondinggatewaysync.svc</To>
<Action xmlns="http://www.w3.org/2005/08/addressing">urn:hl7-org:v3:PRPA_IN201305UV02:CrossGatewayPatientDiscovery</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">\
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>\
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:f8c96997-9f9e-4517-99b1-530ce30d2617</MessageID>
<wsse:Security S:mustUnderstand="true">
<wsu:Timestamp xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1">
<wsu:Created>2010-12-21T15:43:51Z</wsu:Created>
<wsu:Expires>2010-12-21T15:48:51Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="3a4edd62-458e-4c3f-adc0-a9b505cb6284" IssueInstant="2010-12-21T15:43:51.950Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
<!-- is this the only subject required? -->
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=kskagerb</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo>\
<ds:KeyValue>\
<ds:RSAKeyValue>
<ds:Modulus>2TtR9WqJfzbG8oHt9Xq/io6BhwY/dC2rdH3Kp6CBMuaYEw94Ezk1hhGglaBMP+c3MazEMCqNe+qBKvDZWovNavEEJ7tpo4SxY5qPPi6bHMQYExukyiTheMDp3CohSJKQ58IrN7OfQ4nrgZxoSCYi5VLUR7zMqX/zfnjdc81WqJk=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>\
</ds:KeyValue>\
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2009-04-16T13:15:39.000Z" SessionIndex="987">
<saml2:SubjectLocality Address="158.147.185.168" DNSName="cs.myharris.net" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Karl S Skagerberg</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">5am Conformance One - 2.4.8</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.3.596</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.3.596</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
<saml2:AttributeValue>
<hl7:Role xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="307969004" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="Public Health" xsi:type="hl7:CE" />
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
<saml2:AttributeValue>
<hl7:PurposeForUse xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="PUBLICHEALTH" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Use or disclosure of Psychotherapy Notes" xsi:type="hl7:CE" />
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">500000000^^^&1.1&ISO</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="https://nhindev.ochin.org/interconnect-dev-ce/wcf/epic.community.hie/xcpdrespondinggatewaysync.svc">
<saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="q47df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
<!-- is a subject required -inside- this Assertion inside the AuthzDecisionStatement ?? -->
<saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z" NotOnOrAfter="2009-12-31T12:00:00.000Z" />
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">urn:oid:1.2.3.4</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">urn:oid:1.2.3.4.123456789</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#3a4edd62-458e-4c3f-adc0-a9b505cb6284">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>KElC8xKgWPsC44A0gYevSMxXT1A=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jC5anw7eDUZgNVG3JxxdxcMOQheYPhtJPHHceAcYOOserWV45jlblHXeqsL4MGsJl2no+JVKavL+\
cinn6+tubeJD4cpWhDHbXsOc2u1cpYTbCe+Hd1JzHpnBTr+heT/gaJV8CrwPHFXp6MojrqFrCtKA\
XpUnxkP6pKPZqfB50/E=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2TtR9WqJfzbG8oHt9Xq/io6BhwY/dC2rdH3Kp6CBMuaYEw94Ezk1hhGglaBMP+c3MazEMCqNe+qB\
KvDZWovNavEEJ7tpo4SxY5qPPi6bHMQYExukyiTheMDp3CohSJKQ58IrN7OfQ4nrgZxoSCYi5VLU\
R7zMqX/zfnjdc81WqJk=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
<ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://schemas.xmlsoap.org/soap/envelope/" Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>Nhen2R5LULNX2vPaft7QdfcTNaA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XGckyz/m5882yot6dkPDPC1MHcJyYjF1kd41pFXwKvRzvkx8A9euTgurvxyXwTpvfwCG4dB89J45aC20gvqdcEGoPzhjDFZAJFnsABobTTYivgNgPdc3aKlzQOhsKzrl5r7lTZBzLp/6lcR9PDqObP1bTw4RsVXsnKT+BhpfSYQ=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">3a4edd62-458e-4c3f-adc0-a9b505cb6284</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<PRPA_IN201305UV02 xmlns="urn:hl7-org:v3" xmlns:ns2="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:ns3="urn:gov:hhs:fha:nhinc:common:nhinccommon" xmlns:ns4="urn:gov:hhs:fha:nhinc:common:patientcorrelationfacade" ITSVersion="XML_1.0">
<id extension="-5a3e95b1:11d1fa33d45:-7f9b" root="1.1"/>
<creationTime value="20101450084800"/>
<interactionId extension="PRPA_IN201305UV02" root="2.16.840.1.113883.1.6"/>
<processingCode code="T"/>
<processingModeCode code="I"/>
<acceptAckCode code="AL"/>
<receiver typeCode="RCV">
<device determinerCode="INSTANCE" classCode="">
<id root="1.2.345.678.999"/>
<asAgent classCode="AGNT">
<representedOrganization determinerCode="INSTANCE" classCode="ORG">
<id root="2.16.840.1.113883.3.346"/>
</representedOrganization>
</asAgent>
</device>
</receiver>
<sender typeCode="SND">
<device determinerCode="INSTANCE" classCode="DEV">
<id root="2.16.840.1.113883.3.596"/>
<asAgent classCode="AGNT">
<representedOrganization determinerCode="INSTANCE" classCode="ORG">
<id root="2.16.840.1.113883.3.596"/>
</representedOrganization>
</asAgent>
</device>
</sender>
<controlActProcess moodCode="EVN" classCode="CACT">
<authorOrPerformer typeCode="AUT">
<assignedDevice classCode="">
<id root="2.16.840.1.113883.3.596"/>
</assignedDevice>
</authorOrPerformer>
<queryByParameter>
<queryId extension="-abd3453dcd24wkkks545" root="2.2"/>
<statusCode code="new"/>
<responseModalityCode code="R"/>
<responsePriorityCode code="I"/>
<parameterList>
<livingSubjectAdministrativeGender>
<value code="M"/>
<semanticsText representation="TXT"/>
</livingSubjectAdministrativeGender>
<livingSubjectBirthTime>
<value operator="I" value="19600210"/>
<semanticsText representation="TXT"/>
</livingSubjectBirthTime>
<livingSubjectId>
<value assigningAuthorityName="" extension="N600002" root="2.16.840.1.113883.3.596"/>
<semanticsText representation="TXT"/>
</livingSubjectId>
<livingSubjectName>
<value>
<given partType="GIV">Robert</given>
<given partType="GIV">M</given>
<family partType="FAM">Carson</family>\
</value>
<semanticsText representation="TXT"/>
</livingSubjectName>
</parameterList>
</queryByParameter>
</controlActProcess>
</PRPA_IN201305UV02>
</S:Body>
</S:Envelope>
Longer Example of Interpretation B
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1"
>urn:hl7-org:v3:PRPA_IN201305UV02:CrossGatewayPatientDiscovery</a:Action>
<a:MessageID>urn:uuid:fbf307ad-a89a-4a6e-87fc-19c054d945ca</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1"
>https://vs-proxytest.epicsys.com/interconnect-ic-neo-sydney/wcf/epic.community.hie/xcpdrespondinggatewaysync.svc</a:To>
<a:From a:IsReferenceParameter="true">
<a:Address>urn:epic:cec.iu77qa</a:Address>
</a:From>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2011-01-04T20:54:35.846Z</u:Created>
<u:Expires>2011-01-04T20:59:35.846Z</u:Expires>
</u:Timestamp>
<Assertion ID="_25ce5d60-f5cb-45f5-9d63-62216752a828"
IssueInstant="2011-01-04T20:54:35.768Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>EpicSTS</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_25ce5d60-f5cb-45f5-9d63-62216752a828">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:DigestValue>laMFGDQ2S4bKqbCxqSMhWlIkno8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>vnIVr85jneVo5G3zeKVYlMci4QiLZPcdqy7hsW/EeoPyT/PB8brT0Xn39R6cL4jCOn/6oTomWREfdx4q4m+gYaLMQu0vdyRYbY5roW0Q/rWugabQ4qH/r8CTZ7j8vWwb2zd0iDOFJADNeMbdg+1/IBY/MAQeci+OIsZfMI0Rrkg=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIICvTCCAaWgAwIBAgICAUYwDQYJKoZIhvcNAQEFBQAwPTELMAkGA1UEBhMCVVMxEDAOBgNVBAMMB25oaW4tY24xDTALBgNVBAoMBE5ISU4xDTALBgNVBAsMBG5oaW4wHhcNMDkwMTAxMDAwMDAwWhcNMTcxMjIxMDAwMDAwWjCBiTELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCVdpc2NvbnNpbjEPMA0GA1UEBxMGVmVyb25hMQ0wCwYDVQQKEwRFcGljMQwwCgYDVQQLEwNFREkxGDAWBgNVBAMTD0p1c3RpbiBTdGF1ZmZlcjEeMBwGCSqGSIb3DQEJARYPanVzdGluQGVwaWMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ7WKd30y5JV8NL1icPVt3YU0lNQ8UeXLCoFxPAB5ky/WEl1V55GJFSlKusUjdegDKzjujClH3DA7cqZXYjfU7KHqxBz+OItozspFBx9sW5EHw2ziF+gDfAj6iEvw/QF1TfciKa5zYUZtXer3BFI+i2hkeEprXnLVazdy3njX43wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA25oNy2d7t+8MQoFERBVSGoekwy5TG4+KOITZfKP3YA8qZ1OMYOTpkYR6Ee72usZuIuZxvphV4a6uC/1vCoyHfCj38hl6QOhKQoeo7dmtC4h5ttqfQAStXP+ljc1nV50y4pbJdbITd9INGu+KuT9ZYNqnwGSv87XCkLOsI3xPXNUn5Afr/phimZGAyIC6zsczoPt2GwaX66FqOU41ivA5mDusLBW3O66yPd/oJgD52YxutRVk4TaeUrcVtWfrLP/eLqnbEwNwOBp1lyoTVSQBjvrHeVE7PrbMehxkON6oemS+sJIOE2ws0xeCHVCe1NTU45V4U05Usw8TKHTtPyAQ4</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData a:type="KeyInfoConfirmationDataType"
xmlns:a="http://www.w3.org/2001/XMLSchema-instance">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<trust:BinarySecret
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
>VTIiZlUDXDM1znF1Aameb4GVLIlcBuxK2MAQB+BUq/M=</trust:BinarySecret>
</KeyInfo>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2011-01-04T20:54:34.362Z"
NotOnOrAfter="2011-01-04T21:54:34.362Z">
<AudienceRestriction>
<Audience>https://vs-proxytest.epicsys.com/interconnect-ic-neo-sydney/wcf/epic.community.hie/xcpdrespondinggatewaysync.svc</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id"
a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>Epic User</AttributeValue>
</Attribute>
<Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization"
a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>Summer 09 IU/SU QA Community</AttributeValue>
</Attribute>
<Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"
a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>urn:epic:cec.iu77qa</AttributeValue>
</Attribute>
<Attribute Name="urn:nhin:names:saml:homeCommunityId" a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>urn:epic:cec.iu77qa</AttributeValue>
</Attribute>
<Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role"
a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>
<Role code="PHYSICIAN" codeSystem="2.16.840.1.113883.6.96"
codeSystemName="SNOMED CT" xmlns="urn:hl7-org:v3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"/>
</AttributeValue>
</Attribute>
<Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"
a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>
<PurposeForUse code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1"
codeSystemName="nhin-purpose" displayName="Treatment"
xmlns="urn:hl7-org:v3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"/>
</AttributeValue>
</Attribute>
<Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id"
a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>SD90108500^^^&1.2.840.114350.1.13.77&ISO</AttributeValue>
</Attribute>
<Attribute Name="urn:oasis:names:tc:xspa:2.0:subject:npi"
a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue/>
</Attribute>
<Attribute Name="http://www.hhs.gov/healthit/nhin:InstanceAccessConsentPolicy"
a:OriginalIssuer="EpicSTS"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>EPICTESTINSTANCEACCESSCONSENTPOLICY</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthzDecisionStatement Decision="Permit" Resource="http://localhost/test">
<Action Namespace="http://epic.com/saml2actions/test">FullControl</Action>
<Evidence>
<Assertion ID="_f541cab-19fd-4657-8643-12fffc1e6059" IssueInstant="2011-01-04T20:54:35.768Z" Version="2.0">
<Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">E=justin@epic.com, CN=Justin Stauffer, OU=EDI, O=Epic, L=Verona,S=Wisconsin, C=US</Issuer>
<!-- This is the embedded Subject pertinent to Interpretation B -->
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=MAP</NameID>
</Subject>
<AttributeStatement>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint"
a:OriginalIssuer="STS_EPIC9802"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue b:type="tn:base64Binary"
xmlns:b="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tn="http://www.w3.org/2001/XMLSchema"
>1FYgmPGsiQbZ2JDg1h8U9lA5qgs=</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname"
a:OriginalIssuer="STS_EPIC9802"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>E=justin@epic.com, CN=Justin Stauffer, OU=EDI,
O=Epic, L=Verona, S=Wisconsin, C=US</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns"
a:OriginalIssuer="STS_EPIC9802"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>Justin Stauffer</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
a:OriginalIssuer="STS_EPIC9802"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>Justin Stauffer</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
a:OriginalIssuer="STS_EPIC9802"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>justin@epic.com</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa"
a:OriginalIssuer="STS_EPIC9802"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue b:type="tn:RSAKeyValue"
xmlns:b="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tn="http://www.w3.org/2000/09/xmldsig">
<RSAKeyValue xmlns="">
<Modulus>ye1ind9MuSVfDS9YnD1bd2FNJTUPFHlywqBcTwAeZMv1hJdVeeRiRUpSrrFI3XoAys47owpR9wwO3KmV2I31Oyh6sQc/jiLaM7KRQcfbFuRB8Ns4hfoA3wI+ohL8P0BdU33Iimuc2FGbV3q9wRSPotoZHhKa15y1Ws3ct541+N8=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"
a:OriginalIssuer="STS_EPIC9802"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>0146</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</Evidence>
</AuthzDecisionStatement>
</Assertion>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>fZcN06d4n5WcevXPfpUAWs4Jmwk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>2KiiBu81iQU08dh+A17ceeLITrM=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"
>_25ce5d60-f5cb-45f5-9d63-62216752a828</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<PRPA_IN201305UV02 xmlns="urn:hl7-org:v3">
<id root="1.2.840.114350.1.13.77002.1.7.2.696777" extension="71699"/>
<creationTime value="20110104145429-0600"/>
<interactionId root="2.16.840.1.113883.1.6" extension="PRPA_IN201305UV02"/>
<processingCode code="P"/>
<processingModeCode code="T"/>
<acceptAckCode code="NE"/>
<receiver typeCode="RCV">
<device classCode="DEV" determinerCode="INSTANCE">
<id root="1.2.840.114350.1.13.77002.1.7.2.688879" extension="841"/>
</device>
</receiver>
<sender typeCode="SND">
<device classCode="DEV" determinerCode="INSTANCE">
<id root="1.2.840.114350.1.13.77002.1.7.2.688879" extension="900"/>
<asAgent classCode="AGNT">
<representedOrganization classCode="ORG" determinerCode="INSTANCE">
<id root="urn:epic:cec.iu77qa"/>
</representedOrganization>
</asAgent>
</device>
</sender>
<controlActProcess classCode="CACT" moodCode="EVN">
<authorOrPerformer typeCode="AUT">
<assignedDevice>
<id root="urn:epic:cec.iu77qa"/>
</assignedDevice>
</authorOrPerformer>
<queryByParameter>
<queryId root="d230ac58-1844-11e0-b20c-002481e4b4aa"/>
<responseModalityCode code="R"/>
<responsePriorityCode code="I"/>
<parameterList>
<livingSubjectName>
<value>
<given>Sydney</given>
<given>One</given>
<family>Jjs</family>
</value>
<semanticsText>LivingSubject.Name</semanticsText>
</livingSubjectName>
<livingSubjectAdministrativeGender>
<value code="M"/>
<semanticsText>LivingSubject.administrativeGender</semanticsText>
</livingSubjectAdministrativeGender>
<livingSubjectBirthTime>
<value value="20001023"/>
<semanticsText>LivingSubject.birthTime</semanticsText>
</livingSubjectBirthTime>
<patientAddress>
<value>
<streetAddressLine>2910 Riverbend Trail</streetAddressLine>
<city>MADISON</city>
<state>WI</state>
<postalCode>53719</postalCode>
<country>US</country>
</value>
<semanticsText>Patient.addr</semanticsText>
</patientAddress>
<livingSubjectId>
<value root="2.16.840.1.113883.4.1" extension="439-28-4932"/>
<semanticsText>LivingSubject.id</semanticsText>
</livingSubjectId>
<patientTelecom>
<value use="HP">tel:608-271-9999 begin_of_the_skype_highlighting 608-271-9999 end_of_the_skype_highlighting</value>
<semanticsText>Patient.telecom</semanticsText>
</patientTelecom>
</parameterList>
</queryByParameter>
</controlActProcess>
</PRPA_IN201305UV02>
</s:Body>
</s:Envelope>
Eric Heflin
Dir of Standards and Interoperability
THE Standard for Meaningful HIE.
801.415.2672 (o)
801.674.2313 (m)
eheflin (Skype)