1 / 7

Cross-Enterprise User Authentication Year 2 March 16, 2006

Cross-Enterprise User Authentication Year 2 March 16, 2006. John F. Moehrke GE Healthcare IT Infrastructure Technical Committee. Cross-Enterprise User Authentication Value Proposition. Extend User Identity to Affinity Domain Users include Providers, Patients, Clerical, etc

tana-gilliam
Download Presentation

Cross-Enterprise User Authentication Year 2 March 16, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cross-Enterprise User Authentication Year 2 March 16, 2006 John F. Moehrke GE Healthcare IT Infrastructure Technical Committee

  2. Cross-Enterprise User AuthenticationValue Proposition • Extend User Identity to Affinity Domain • Users include Providers, Patients, Clerical, etc • Must supports cross-enterprise transactions, can be used inside enterprise • Distributed or Centralized. • Provide information necessary so that receiving actors can make Access Control decisions • Does not include Access Control mechanism • Provide information necessary so that receiving actors can produce detailed and accurate Security Audit Trail ITI Technical Committee

  3. XUA – Circle of Trust (e.g. XDS Affinity Domain) XDS Patient ID Source Key: Original Transaction XUA modification Use-Case number ‘n’ St. Johns Auth Prov ID Prov n 1a HL7 v2 XDS Registry 0a 1b User auth HL7 v3 North Clinic Internal Exported Radiologist Reporting 4 XDS Query Auth Prov ID Prov 5 XDS Register 3 2a XDS Provide & Register 0b XDS Repository 6 Any DICOM XDS Retrieve Family Doctor PACS 2b Any DICOM LAB RID (Browser) 7 ITI Technical Committee

  4. Open Issues • XUA: Need all transactions where XUA is needed to support one method • XDS-Retrieve new option using Web-Services? • Provide/Register continues to not include XUA? • Query with XUA only with new stored query? • DICOM • DICOM standard support for SAML not yet done. • WADO: Not clear how to solve. Currently recommend Browser profile • PIX/PDQ • There is still times when user is not relevant, thus HL7 v2 is not invalid • Solution that doesn’t use SAML (Simple text user identity)? • What is the risk we are trying to mitigate? • Are the overrides appropriate mitigation vs the risk? • Assertion content (e.g. Specific attributes)? • Could include PWP attributes. • Likely need PWP updated first with clinical attributes from ISO. • Patient vs. Provider? Do we have specific attributes that are required of patients? • What do we do when the Service User is not a ‘service’? • Continue to utilize ATNA: TLS: Certificates? • Utilize SAML’s ability to assert a service identity? • Possibly do this in an appendix • Policy: The clinical user that is typically identified in the transaction is not likely to be a clinical user but rather a clerical individual. • Future could leverage SAML delegation as that mechanism matures • Actor/Transaction • The actor and transaction layout for Browser SSO is different from the one we want to use for Web-Services/DICOM ITI Technical Committee

  5. Recommendation • Browsers – SAML v2.0 SSO and ECP profile (as is currently written) • DICOM – SAML v2.0 Assertions encoded using DICOM user identity mechanism (currently in progress in DICOM) • HL7 v2 – NOT SUPPORTED • HL7 v3 – Supported when bound to Web-Services • Web-Services – Next version of WS-I Basic Security Profile that includes WS-SX standard ITI Technical Committee

  6. Cross-Enterprise User Authentication Three Year Plan • 2005: defined the use-cases and identified standards gaps • Profiled solution for Browser sessions • Profiled solution for HL7 v2 (should we remove?) • 2006: Set the stage (Work on non Web-Services parts) • Encourage XDS-Retrieve using Web-Service • Encourage XDS-Stored Query using Web-Services • Encourage PIX/PDQ with HL7 V3 using Web-Services • Update PWP with ASTM and ISO attributes so they can be available in SAML • Define attribute so that clinician, clerical, and patient are properly identified • Define SAML Assertion content, assurance levels. • Appendix to describe solution when ‘Service User’ is a ‘Service’ • Late 2006: support Web-Services transactions • Endorse: WS-Security, WS-SX, WS-I Basic Security Profile. • 2007: add other transactions • Profile DICOM transactions. ITI Technical Committee

  7. Meetings / Tcon • Update usecases, and Actor/Transaction layout. Add of Patient as user. Add of ‘service’ as user comment. • April 17 at 11:30 – 1:30 Central • Work on Assertion content requirements. Work on PWP integration of ISO dataset, talk about Patient • May 15 at 11:30 – 1:30 Central • Build section on Web-Services. Likely will duplicate much of what we expect in WS-I ITI Technical Committee

More Related