Skip to main content

HS.HC.IHE.XUA.Creator

class HS.HC.IHE.XUA.Creator extends %Library.RegisteredObject

IHE class for creating SAML tokens. This class is subject to change and should not be presumed to be final. Creating HS.IHE.XUA.Config entries to control properties of the Creator class to control specific settings for their environment.

Property Inventory

Method Inventory

Parameters

parameter AudienceRestriction = http://ihe.connectathon.XUA/X-ServiceProvider-IHE-Connectathon;
parameter HSDEPLOY = 0;
parameter IssuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified;
parameter SignAssertionCreateOption = $$$KeyInfoX509Certificate;
Optionally use $$$KeyInfoRSAKey or $$$SOAPWSReferenceIssuerSerial
parameter SubjectNameFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified;
parameter UISETTINGS;
Parameter to define additional settings stored in the configuration

Properties

property CurrentSAMLData as HS.IHE.XUA.SAMLData;
Property methods: CurrentSAMLDataGet(), CurrentSAMLDataGetObject(), CurrentSAMLDataGetObjectId(), CurrentSAMLDataGetSwizzled(), CurrentSAMLDataIsEmpty(), CurrentSAMLDataIsValid(), CurrentSAMLDataNewObject(), CurrentSAMLDataSet(), CurrentSAMLDataSetObject(), CurrentSAMLDataSetObjectId(), CurrentSAMLDataUnSwizzle()
property Issuer as %String;
Property retrieved from the HS.IHE.XUA.Config which is a string to use for the SAML Issuer's name. Either Issuer should be set to a string containing the distinguished name of the RHIO's certificate, OR IssuerX509 should contain the alias of an X.509 certificate which references the RHIO's certificate. If both are set to "", an error will be reported when creating new tokens. IssuerX509 takes precedence over Issuer.
Property methods: IssuerDisplayToLogical(), IssuerGet(), IssuerIsValid(), IssuerLogicalToDisplay(), IssuerLogicalToOdbc(), IssuerNormalize(), IssuerSet()
property IssuerX509 as %String;
Property retrieved from the HS.IHE.XUA.Config which is an Alias for an X.509 certificate object which will be used for the SAML Issuer, and for signing the created token if the SignCreatedAssertion parameter is true. Either Issuer should be set to a string containing the distinguished name of the RHIO's certificate, OR IssuerX509 should contain the alias of an X509 certificate which references the RHIO's certificate. If both are set to "", an error will be reported when creating new tokens.
Property methods: IssuerX509DisplayToLogical(), IssuerX509Get(), IssuerX509IsValid(), IssuerX509LogicalToDisplay(), IssuerX509LogicalToOdbc(), IssuerX509Normalize(), IssuerX509Set()
property SignCreatedAssertion as %Boolean [ InitialExpression = 0 ];
Property retrieved from the HS.IHE.XUA.Config which controls whether created Assertions will be signed. This requires the IssuerX509 parameter to refer to a valid set of X.509 credentials.
Property methods: SignCreatedAssertionDisplayToLogical(), SignCreatedAssertionGet(), SignCreatedAssertionIsValid(), SignCreatedAssertionLogicalToDisplay(), SignCreatedAssertionNormalize(), SignCreatedAssertionSet()
property UseWSSSignature as %Boolean [ InitialExpression = 1 ];
Property retrieved from the HS.IHE.XUA.Config which controls whether created Assertions will be signed with the WSSecuritySignature or the Signature. Signing still requires SignCreatedAssertion to be set to true, and the IssuerX509 parameter to refer to a valid set of X.509 credentials.
Property methods: UseWSSSignatureDisplayToLogical(), UseWSSSignatureGet(), UseWSSSignatureIsValid(), UseWSSSignatureLogicalToDisplay(), UseWSSSignatureNormalize(), UseWSSSignatureSet()

Methods

method AddAttributes(pAssertion, pData As HS.IHE.XUA.SAMLData) as %Status
method AddAuthorizationStatement(pAssertion, pData)
method AddConditions(pAssertion) as %Status
Conditions
method AddSubject(pAssertion, pData As HS.IHE.XUA.SAMLData) as %Status
method AddSubjectConfirmation(pAssertion, ByRef pData) as %Status
Not required for IHE specification but used in NY SHINNY implementation
method AdditionalUserInformationToData(pRequest, pData As HS.IHE.XUA.SAMLData) as %Status
method Additions(pAssertion, pRequest As %Persistent) as %Status
Additional modifiers - override as required
method AudienceRestriction(pAssertion) as %SAML.AudienceRestriction
Audience restriction
method AuthzConsent(pAssertion, pRequest) as %Status
Method to add AuthorizationConsent to the assertion
method CommonInternalUserInformation(pData As HS.IHE.XUA.SAMLData) as %Status
Called when there is no SAML in the request, therefore building information from the request
method CreateSAML(pRequest As %Persistent, Output pAssertion As %SAML.Assertion) as %Status
Classmethod for creating SAML Assertions from XMLMessage objects. OUSTANDING ITEMS: - User login time [DUMMY VALUE = (now - 5 minutes) ] - User login IP (i.e. from system) [ DUMMY VALUE = "10.0.1.123" ] - User login DSN Name (i.e. from DNS name) [ DUMMY VALUE = "test.intersystems.com" ] - User organization - should this be primary Facility? Defaults to UserRHIO if not found - Purpose for use - where should this come from? BTG = Emergency, but otherwise...? - Role and Category mapping - more specificity needed, will need user/implementation input to map HS roles
method FetchUser(pData As HS.IHE.XUA.SAMLData) as %Status
Override this method to provide customized individual lookup.
called by CommonInternalUserInformation
Update
pData.Working("EmailAddress")
pData.Working("UserFullName")
pData.Working("NPI")
method FetchUserOrganization(pData As HS.IHE.XUA.SAMLData) as %Status
Override this method to provide customized organization lookup.
called by CommonInternalUserInformation
Update
pData.OrganizationOID
pData.Organization
classmethod ForwardSAML(pRequest As HS.Message.XMLMessage, Output pAssertion As %SAML.Assertion) as %Status
classmethod GetNodeName() as %String
This attempts to get the domain name from %SYS.System to return something like MyHost.Mydomain.Com If no domain can be found, it defaults to MyHost
method MapPurposeOfUse(pData As HS.IHE.XUA.SAMLData) as %Status
called by CommonInternalUserInformation
classmethod MapRoles(pData) as %Status
Map internal HealthShare roles into an Role object which uses SNOMED CT as the code system. Implementations should override this method and use their own mapping based on their roles and user data.
method NewAssertion(pAssertion) as %Status
Build the Assertion signed or not signed
method RequestUserInformationToData(pRequest, pData As HS.IHE.XUA.SAMLData) as %Status
Convert HS.Types.RequestInfo into pData
method SignAssertion(pAssertion) as %Status
method UserInformationToData(pRequest) as %Status

Inherited Members

Inherited Methods

Subclasses

FeedbackOpens in a new tab