Concept Descriptor vs. URN

[Mohammad Jafari <mjafari@edmondsci.com>]

Hello,

 

We need to discuss and make a decision between using URNs or CD XML for encoding attribute values from standard vocabularies. This is some read-ahead material on the background and the alternatives on the issue to prepare for the discussion on the next call.

 

One of our main goals in updating the XSPA profiles was to internationalize the profiles by removing the specific attribute valuesets and provide a mechanism by which any suitable standard vocabulary can be used for attribute values. We have also specified the required valuesets to be used for the US realm.

Thus, we need a mechanism to fully qualify the value of an attribute by encoding the vocabulary or valueset it is taken from. For this purpose, we have currently chosen to use the XML representation of HL7 Concept Descriptor for encoding such values. This structure allows encoding the value of the attribute as a code, its display name, the code for vocabulary/valueset, and the display name of the vocabulary.

 

Note that since these SAML assertions will be consumed by a machine, the only parts of the CD structure that are actually of use are 1) the vocabulary code, and 2) the attribute code; display names are a matter of GUI and can be left out.

 

One of the general comments that we received from the SAML TC in this regard was to consider using URNs instead of embedding the XML-encoded value of the attribute as an HL7 Concept Descriptor structure. The argument is twofold:

-          It is better to use the existing XML/SAML facilities instead of introducing complex XML structures.

-          Most existing SAML implementation do not support complex-valued attributes and only recognize basic datatypes such as strings.

 

The following show an example of a purpose of use attribute value taken from the HL7 purpose of use vocabulary, encoded respectively as complex-values CD XML and URN:

 

Using CD:

 

<saml:Attribute

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oasis:names:tc:xacml:2.0:action:purpose">

<saml:AttributeValue xsi:type="urn:hl7-org:v3:CD">

              <value xmlns="urn:hl7-org:v3" xsi:type="CD"

code="RECORDMGT"

displayName="records management"

codeSystem="2.16.840.1.113883.1.11.20448"

codeSystemName="Purpose of Use" />

</saml:AttributeValue>

</saml:Attribute>

 

Using URN:

 

<saml:Attribute

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oasis:names:tc:xacml:2.0:action:purpose">

<saml:AttributeValue xsi:type="anyURI" >

       urn:hl7-org:v3:2.16.840.1.113883.1.11.20448:RECORDMGT

</saml:AttributeValue>

</saml:Attribute>

 

 

Regards,

Mohammad Jafari, Ph.D.

Chair, OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee.

Veteran Health Administration, Department of Veteran Affairs (Edmond Scientific Company)