Identity federation in healthcare networks l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Identity Federation in Healthcare Networks PowerPoint PPT Presentation


  • 215 Views
  • Updated On :
  • Presentation posted in: General

Identity Federation in Healthcare Networks. Xiaohui Chen Department of Computer Science University of Virginia. Agenda. Introduction Current Efforts System Design System Implementation Demo Conclusions and future work. Introduction. What is identity?

Download Presentation

Identity Federation in Healthcare Networks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Identity federation in healthcare networks l.jpg

Identity Federation in Healthcare Networks

Xiaohui Chen

Department of Computer Science

University of Virginia


Agenda l.jpg

Agenda

  • Introduction

  • Current Efforts

  • System Design

  • System Implementation

  • Demo

  • Conclusions and future work

Department of Computer Science, University of Virginia


Introduction l.jpg

Introduction

  • What is identity?

    • The distinguishing characteristic or personality of an individual

  • Why is identity important?

    • All the important things you do require your identity

  • Why has identity become a problem?

    • Enterprise side

    • Personal side

Department of Computer Science, University of Virginia


Introduction4 l.jpg

Introduction

  • Our proposed solution

    • “Identity Federation”

    • “The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains ”

Department of Computer Science, University of Virginia


Slide5 l.jpg

Medical Data Portal

WS-Policy

Ancillary Services

Data Repository and Web Service

WSE 2.0

<wsp:Policy wsu:Id="trustlevelsec-token">

<wssp:SecurityToken wsp:Usage="wsp:Required">

<wssp:TokenType>

http://cs.virginia.edu/tl#TrustLevelToken

</wssp:TokenType>

<wssp:TokenIssuer>

http://cs.virginia.edu/TrustLevelSTS.asmx

</wssp:TokenIssuer>

<wstl:TrustLevel> 2.5 </wstl:TrustLevel>

</wssp:SecurityToken>

</wsp:Policy>

Data request + authentication token

Pharmacy

Data

Trust Establishment

and Federation

Return

generated

token

Request

authentication

token

Insurance

Authorization

decision

Authorization

request

Initial login

Store cookie

Authentication Web Service

(Secure Token Service)

Authorization Web Service

(Authorization Engine)

Authorization Rules

.....

<Condition>

<Context>IsAttending</Context>

<Operator>==</Operator>

<Expected>true</Expected>

</Condition>

<Condition>

<Context>TrustLevel</Condition>

<Operator>%gt;=</Operator>

<Expected>Fingerprint</Expected>

</Condition>

.....

Billing

HP5550

Fingerprint

Scanner

Signature

e-Token

RFID

Clinics


Current efforts l.jpg

Current Efforts

  • OASIS and SAML

  • Microsoft, IBM and WS-Roadmap

  • Liberty Alliance

  • .NET Passport

  • Shibboleth

Department of Computer Science, University of Virginia


System design l.jpg

System Design

  • Identity Federation by inter-domain identity mapping through anonymous token/attribute exchange via Token Exchange Service

  • Why choose this design?

Department of Computer Science, University of Virginia


System design8 l.jpg

System Design

  • Key Ideas:

    • Identity establishment/management with strong authentication

    • Trust establishment between domains

    • Universal identity with inter-domain identity mapping and attribute mapping

    • Inter-domain security information exchange via Token Exchange Server

    • Privacy protection – pseudonym, attribute exchange

    • Request forwarding for web single sign-on

Department of Computer Science, University of Virginia


System design9 l.jpg

System Design

  • Strong authentication

    • Biometric

    • Non-biometric

    • Two factors

  • Trust levels

    • Numerical

    • Comparable

Department of Computer Science, University of Virginia


System design10 l.jpg

System Design

  • Identity mapping

    • One-to-one

    • Many-to-one

    • One-to-many

    • Pseudonym

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

Department of Computer Science, University of Virginia


System design11 l.jpg

System Design

  • Attribute mapping

    • Any security information can establish meaningful mappings between domains along with a user’s identity, e.g. trust level mapping, role mapping, privilege mapping …

    • Standard attribute names

Department of Computer Science, University of Virginia


System design12 l.jpg

System Design

  • Trust Relation Setup

    • Defined by policy files

    • Administrated by authority

    • With whom to federate identity?

    • How to federate identity?

Department of Computer Science, University of Virginia


System design13 l.jpg

System Design

  • Inter-domain security information exchange

    • Heterogeneous systems have different security information formats

    • Attribute exchange via standard web service interface

    • Standard token formats – SAML, WS-Trust

  • Single-Sign-On

Department of Computer Science, University of Virginia


System design14 l.jpg

System Design

  • Security Token Service

  • Token Exchange Service

  • Trust Authority

Department of Computer Science, University of Virginia


System design15 l.jpg

System Design

Department of Computer Science, University of Virginia


System design16 l.jpg

System Design

  • Security Token Service

    • WSE2.0 based

    • Attribute extension

      • Trust level

      • Location

      • Time

      • Role

    • Identity Federation extension

      • Inter-domain request control

      • Endpoint for inter-domain security information exchange with web service

      • Identity and attribute mapping

Department of Computer Science, University of Virginia


System design17 l.jpg

System Design

  • Token Exchange Service

    • Facilitates inter-domain security information exchange with request forwarding

    • Automatic directory lookup

    • Trust broker

    • Define standard attribute names

Department of Computer Science, University of Virginia


System design18 l.jpg

System Design

  • Trust Authority

    • Manages inter-domain trust relationship

    • Publishes domain information

    • Defines attributes provided

    • Defines services provided

Department of Computer Science, University of Virginia


System design19 l.jpg

System Design

Department of Computer Science, University of Virginia


System implementation l.jpg

System Implementation

  • Three trust domains

    • Medical portal – hospital

    • Pharmacy portal – pharmacy

    • News portal – MSN

  • Related services

    • Security token service

    • Trust authority

    • Token Exchange Service

Department of Computer Science, University of Virginia


System implementation21 l.jpg

System Implementation

  • Medical Portal

    • Authentication and authorization

    • Medical data management

    • Doctor/Patient portal service

    • Electronic prescription management/submission via active federation

    • Event alert system

Department of Computer Science, University of Virginia


System implementation22 l.jpg

System Implementation

  • Pharmacy Portal

    • Structurally the same as hospital portal

    • Electronic prescription management

    • Automatically sends/receives prescription information to hospital via active federation

Department of Computer Science, University of Virginia


System implementation23 l.jpg

System Implementation

  • Mock MSN Portal

    • Represents a third party news portal

    • Federates identity with hospital portal

    • Web Single-Sign-On

Department of Computer Science, University of Virginia


Slide24 l.jpg

Demo

  • Trust Level

  • Alerts with active federation

  • Federation between MSN and hospital

Department of Computer Science, University of Virginia


Conclusion l.jpg

Conclusion

  • Identity federation with user identity mapping between domains is flexible, maintainable and powerful

  • Token Exchange Service with web service security information exchange successfully hides local security system implementation

  • Trust authority with domain information publishing is a practical way to administrate trust relationship

  • Levels of authentication provide one way to evaluate identity trustworthiness across domains

  • Identity federation with Single Sign-On successfully alleviates the identity crisis

Department of Computer Science, University of Virginia


Future work l.jpg

Future Work

  • Fully automatic trust negotiation and establishment

  • More powerful attribute exchange/evaluation algorithm to protect user privacy

  • Become SAML compliant

  • Standards other than Microsoft and IBM’s WS-X

  • Integration with other federation approaches

Department of Computer Science, University of Virginia


Publications l.jpg

Publications

  • Xiaohui Chen and Alfred C. Weaver, Identity Federation in Federated Trust Healthcare Network, Submitted to XXXX

  • Alfred C. Weaver, Samuel J. Dwyer III, Andrew M. Snyder, James Van Dyke, James Hu, Xiaohui Chen, Timothy Mulholland, Andrew Marshall, Federated, Secure Trust Networks for Distributed Healthcare IT Services, IEEE International Conference on Industrial Informatics, Banff, Alberta, Canada, August 2003

  • Junzhe Hu and Alfred C. Weaver, A Dynamic, Context-Aware Security Infrastructure for Distributed Healthcare Applications,Pervasive Privacy Security, Privacy, and Trust (PSPT2004), Boston, MA, August, 2004

  • Alfred C. Weaver, Enforcing Distributed Data Security via Web Services,Workshop on Factory Communications (WFCS2004), Vienna, Austria, September 21-24, 2004

Department of Computer Science, University of Virginia


  • Login