OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xspa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML profile edits

I've created an example SAML snippet for new organizational-hiearchy attribute:

<saml:AttributeStatement id="urn:oasis:names:tc:xpsa:2.0:subject:organizational-hierarchy"…>
	<saml:Attribute …>
		<saml:AttributeValue>urn:kp:region:colorado</saml:AttributeValue>
		<saml:AttributeValue>urn:kp:region:elpaso</saml:AttributeValue>
		<saml:AttributeValue>Penrose Hospital</saml:AttributeValue>
	</saml:Attribute>
</saml:AttributeStatement>


Additionally, I've crafted three different approaches for the representation of the new patient authorization attribute for discussion in the next meeting.

Approach 1: URL 
The URI shall be in the form of a Universal Resource Locator (URL) that represents the location of the patient authorization. The content of the authorization, and the protocol to retrieve the authorization is beyond the scope of this profile. ex. https://gateway01/PatientAuthzService?id=123445


Approach 2: URI
The URI shall be in the form of an opaque identifier that references the authoritative patient authorization. The mechanism for retrieving the authorization must be coordinated between the requesting organization and the servicing organization. The content of the authorization, and the protocol to retrieve the authorization is beyond the scope of this profile.
e.x. urn:uuid{550e8400-e29b-41d4-a716-446655440000}


Approach 3: By Value
Note: This would require a change in the data type to base64.
This attribute will contain a base64 encoded patient authorization. The content of the authorization is beyond the scope of this profile.

Discussion Topics:
For referencing the authorization by URI/URL, how long should it be expected for the requesting organization to store the authorization? 
What should the servicing organization do if it can't retrieve the authorization? 
What is the content of the authorization and should the content be specified by the profile?
If passing by value, how big is this authorization likely to be and would it need to be cryptographically signed?
If we go with approach 1 or 2, should we standardize the retrieval mechanism or leave that to be arranged between the two organizations?

Regards,

Mike Dufel

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]