SAML SSO with Healthcare Context Proposal (Short)



Similar documents
SAML SSO with Healthcare Context

OIOSAML Rich Client to Browser Scenario Version 1.0

Authentication Integration

Microsoft Office 365 Using SAML Integration Guide

Agenda. How to configure

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Getting Started with AD/LDAP SSO

HP Software as a Service. Federated SSO Guide

HP Software as a Service

The increasing popularity of mobile devices is rapidly changing how and where we

Web Based Single Sign-On and Access Control

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

How To Use Saml 2.0 Single Sign On With Qualysguard

Single Sign On Integration Guide. Document version:

A Standards-based Mobile Application IdM Architecture

SAML-Based SSO Solution

SAML-Based SSO Solution

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

SAM Context-Based Authentication Using Juniper SA Integration Guide

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

SAML SSO Configuration

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SAML application scripting guide

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

SAML and OAUTH comparison

The Top 5 Federated Single Sign-On Scenarios

Authentication Methods

Authentication and Single Sign On

Single Sign On for ShareFile with NetScaler. Deployment Guide

T his feature is add-on service available to Enterprise accounts.

Introduction to SAML

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Leveraging SAML for Federated Single Sign-on:

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

Copyright: WhosOnLocation Limited

Image Enabled EMR / EHR

Connected Data. Connected Data requirements for SSO

OpenID Connect 1.0 for Enterprise

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Identity Implementation Guide

The Imaging Continuum

How to create a SP and a IDP which are visible across tenant space via Config files in IS

IHE Radiology Technical Framework Supplement. Invoke Image Display (IID) Trial Implementation

PingFederate. IWA Integration Kit. User Guide. Version 3.0

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

OIO Web SSO Profile V2.0.5

Single Sign On. SSO & ID Management for Web and Mobile Applications

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Flexible Identity Federation

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Invoke Image Display (IID) David Clunie PixelMed

Building Secure Applications. James Tedrick

CA Nimsoft Service Desk

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

SAML Authentication Quick Start Guide

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Perceptive Experience Single Sign-On Solutions

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

OIX IDAP Alpha Project - Technical Findings

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

Egnyte Single Sign-On (SSO) Installation for OneLogin

Q&A Session for Understanding Atrium SSO Date: Thursday, February 14, 2013, 8:00am Pacific

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

Configuring Salesforce

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Copyright Pivotal Software Inc, of 10

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Lecture Notes for Advanced Web Security 2015

Web Applications Access Control Single Sign On

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Evaluation of different Open Source Identity management Systems

OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

Getting Started with Single Sign-On

IBM WebSphere Application Server

TIB 2.0 Administration Functions Overview

CA Performance Center

Sign-On projektet. HL7-CCOW Context Management: A National Sign-on Profile

Leverage Active Directory with Kerberos to Eliminate HTTP Password

SAML for EPCS (Electronic Prescription of Controlled Substances)

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Transcription:

SAML SSO with Healthcare Context Proposal (Short) 1. Proposed Work Item: Health Context Sharing via SAML Proposal Editors: Alex DeJong, Siemens Healthcare Work item Editors: Jim McInnis, Siemens Healthcare Alex DeJong, Siemens Healthcare Date: 23-Sep-14 Version: v01.00 Domain: IT Infrastructure 2. The Problem UI interoperability provides the ability to launch one application from another. This includes the ability to authenticate the user to the launched application and, in many cases, passing context, such as a patient identifier. Sometimes this functionality is referred to as SSO between applications. HL7 CCOW has defined context switching which many products use for establishing user context (and SSO). HL7 CCOW based solutions tend to require a dedicated CCOW manager product and support in each of the products participating in the context. Implementations tend to be costly given the broad scope of CCOW. Many commercial products have implemented a simpler mechanism to allow secure launch of their products without an explicit username and password. These proprietary mechanisms typically use a combination of plain-text arguments for context and a hash (e.g. MD5) to protect the integrity of some or all of the arguments. A salted hash using a shared secret, username, password and/or date/time component, are used as the authentication mechanism. There is currently no standard mechanism defined across the healthcare industry to securely pass user and other healthcare context which results in incompatible solutions for healthcare customers requiring custom adapters to integrate products.

SAML has become widely used across industries to assert user identity and has a built-in mechanism to support additional attributions on the assertion. SAML leverages digital certificates as its security mechanism and has already defined many elements relevant to this use-case (e.g. issuer, conditions for expiration, audience restrictions)., There is currently a lack of guidance in the healthcare industry for how vendors can consistently implement SAML to achieve UI interoperability in healthcare workflows. This profile defines the use of SAML for UI interoperability. Because SAML is a broad set of specifications that can be used in many contexts, a profile that constrains the underlying SAML standards and simplifies the adoption across healthcare products is necessary. By providing a definition of healthcare context parameters typical in many healthcare workflows, this profile helps to ensure out-of-the-box SSO compatibility between compliant SAML SPs and IdPs as implemented by different organizations. Benefits for products using this profile: Leverages SAML industry standard and middleware software support for this standard. Provides guidance for use of the SAML SSO within healthcare. Provides mechanisms for expressing healthcare domain attributes (e.g. patient information, image accession and study information). 3. Key Use Cases A scenario in a healthcare organization could look like this: A physician walks up to a workstation on the floor and logs into the hospital s web based Clinical Information System (CIS). After selecting a patient in the CIS and reviewing the patient s information, the physician wants to view the X-ray image, which can be accessed via a link in the CIS. The CIS passes patient and a DICOM image study identifier as the context. The DICOM image is natively rendered within a Picture Communication and Archive System (PACS) application. Similarly, the physician might want to review information available in a regional Health Information Exchange (HIE). Patient context, such as MRN, gender, date of birth, etc. would be passed to the browser-based HIE portal to load information available in the HIE for the given patient. Many other variants are possible with many different types of systems. 4. Standards & Systems To ensure a secure flow, this proposal advocates use of the SAML SSO Web Browser Profile for the interactions as described in the previous use cases. The CIS is the SAML Identity Provider (IdP) while the image viewer and HIE application are SAML Service Providers (SPs). When selecting the link, the web browser uses the SAML protocols to securely sign on by generating and passing a SAML assertion and using an HTTP post to the PACS viewer. The PACS viewer validates the token and uses the context to show the correct image. The following documents are reference standards on which the profile is built:

SAML 2.0 Core Specification: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf SAML 2.0 Bindings Specification: http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0- os.pdf SAML 2.0 Profiles: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf Health Level 7 (HL7) Clinical Context Object Working group (CCOW): CCOW Subject Specification 1.5 Additional references that might be useful and could be referenced in the profile: SAML 2.0 Technical Overview: https://www.oasis-open.org/committees/download.php/27819/sstcsaml-tech-overview-2.0-cd-02.pdf 5. Discussion Siemens Healthcare has authored a SAML interoperability profile to ensure SSO interoperability across its Healthcare products. It has successfully implemented this profile with various vendors and consulting teams to realize seamless end-user interoperability in healthcare products while providing a secure login and passing clinical context such as patient and other relevant information as part of the scenario. The profile is built on the following SAML standards: - SAML Web Browser SSO Profile - SAML Post Binding - SAML attribute names for common healthcare context parameters The context attribute naming convention is compliant with the Health Level 7 (HL7) Clinical Context Object Working group (CCOW) naming as outlined in the CCOW Subject Specification 1.5. In addition, the following rules apply to allow for easy interoperability: All attribute names are case insensitive (i.e. Patient.Id.MRN is the same as patient.id.mrn). If SP required attributes are not provided by the IdP, the SP shall report an error. Attributes provided by the IdP but not recognized by the SP shall be ignored by the SP. o Note: It is thus not possible to use attributes that restrict access, e.g., indications that a user may view a subset of information only, as older applications might ignore them and open up for broader access than allowed. Product attributes must use the defined attribute names as defined in the table shown Name Cardinality Description User.Co.Membership 0..n Membership represents the user's group memberships. User group membership values should consider use of URI or LDAP notation. For example: ldap://companydomain/cn=physicians,ou=groups,o U=Site-A,DC=DC1,DC=company =com, or WinNT://CompanyDomain/someone.important.

Patient.Id.MPI 0..1 Patient s medical record number, per PID-2. Master Patient Index (MPI) or Patient Number (PN). MPI can be used to uniquely identify a patient across an enterprise. Patient.Id.MRN 0..1 Patient s medical record (MR) number, per HL7 PID-2. Patient.Id.MRN.AssigningAuth ority 0..1 Patient s medical record number's location, per HL7 PID- 2.4 Assigning Authority, Hierarchic Designator (HD) datatype. The recommended content includes both the authority name and ISO identifier. The value of the attribute would be set to the assigning authority of the Patient.Id.MRN. This is the mechanism to specify the assigning authority (or location) of a patient with a fixed attribute name. Examples: Encounter.Id.AccountNumber 0..1 Patient Account number (AN). Encounter.Id.VisitNumber 0..1 Patient Visit Number (VN). Patient.Co.PatientName 0..1 Patient.Co.Sex 0..1 Patient.Co.DateTimeOfBirth 0..1 DICOMStudy.Id.InstanceUID 0..1 DICOMSeries.Id.InstanceUID 0..1 DICOMStudy.Co.Accession_N umber 0..1 Patient.Id.MRN.AssigningAuthority=Westche ster_clinic indicates that the MRN is assigned for the Westchester location. Patient.Id.MRN.AssigningAuthority=Westche ster_clinic^2.16.840.1.113883.19.5^iso indicates that the MRN is assigned for the Westchester_Clinic that has an identifier 2.16.840.1.113883.19.5 assigned by ISO. Patient s legal name, per HL7 PID-5. Examples: Lastname^Firstname^Middle^Suffix^Prefix, Marchant^Olin^^^^ Patient s gender, per HL7 PID-8. Patient s Date and time of birth, per HL7 PID-7. The value of the DICOMStudy.Id.InstanceUID item corresponds to either: The DICOM Study Instance UID (0020,000D) attribute of a composite DICOM object The DICOM SOP Instance UID (0008,0018) attribute of a normalized DICOM object of the Detached Study Management SOP Class. Can only be used with a valid MRN or MPI. The DICOM series subject is an identity subject that represents a specific DICOM series object for a specific patient. Can only be used with a valid MRN or MPI. The AccessionNumber is an identification which appears at DICOM Study level, and this is generally used along with patient.id for image call-up of specific studies by radiology information system (RIS) or thirdparty applications. This is the identifier that makes it

Session.Co.InactivityTimeOut 0..1 Session.Co.LogoffURL 0..1 possible for information systems to link orders with images. Session inactivity time out in seconds Uniform Resource Locator (URL) which can be provided by the SAML IdP to inform the SAML SP where to redirect the user after the user logged off from the SAML SP in a SAML IdP initiated SSO flow. A SAML SP is not required to use the provided URL even when provided by the SAML IdP. All attributes are considered optional in the profile. Each product defines which specific attributes are required and products can choose to support additional attributes, not listed in the table. The set shown in the table above are commonly used in many UI interoperability use cases.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information