Transaction to retrieve a SAML 2.0 assertion for authorization of transactions in the Swiss EPR. Primary systems shall use this transaction to retrieve a SAML 2 assertions to be used with EPR transactions, which require authorization.
The following snippet is taken from a sample request recorded during the EPR projectathon in September 2020. Some elements are omitted to increase readability. The raw request file may be found here.
The snippet shows a request performed by a healthcare professional performing a the normal access. For other roles and situations the claims are different. Other examples may be found at XUA examples.
The request message shall be a XML SOAP envelope with the query embedded in the Body element of the SOAP envelope. The SOAP Header element conveys the following information:
MessageID element: a UUID of the message.
Action element: The SOAP action identifier of the query as defined in the IHE ITI Technical Framework.
Security element: The Web Service Security header as defined in the WS Security specification. This element must contain the IdP Assertion taken from user authentication (see Authenticate User).
purposeOfUse conveying the purpose of use of the request, which must be taken from the EPR value set defined in Annex 3 of the ordinances of the Swiss electronic patient dossier.
The following snippet is taken from a sample response recorded during the EPR projectathon in September 2020. Some elements were ommitted to increase readability. The raw file may be found here.
The response message is a XML SOAP envelope with the XUA Assertion embedded in the the Body element of the SOAP envelope (see example below, lines 21 to 23). Primary systems shall extract the XUA Assertion to use the im the security header of the XDS.b transactions, which require authorization. For primary systems, there is no need to extract information from the XUA assertion.
The XUA Assertion is omitted in the snippet below. For examples of see here.
The primary system shall send the request messages to the X-Assertion Provider of the community using the http POST binding as defined in the W3C SOAP specification. It may look like:
Primary systems shall protocol the request and response for traceability. There are no further requirements on protocols defined in the ordinances of the Swiss EPR.
To ensure privacy the transaction must be secured using https with mutual authentication, using X.509 certificates (extended validation required) and client and server side certificate validation.
The retrieval of a XUA assertion requires user authentication by providing the IdP assertion in the Security header of the SOAP envelope (see Message Semantics). The IdP assertion shall be retrieved by the primary system by using the Authenticate User transaction.