SAML v2 and XACML v2 Integration

Project:  PicketLink

 

Since PicketLink project provides both SAML v2 and XACML v2 capabilities, there is support for XACML2 profile of SAMLv2 specification.

 

ReferenceBlog Post   <===

What is provided?

As part of PicketLink, you are provided a servlet that can take in SOAP 1.1 requests that contain a SAML payload with XACML authorization decision request and as a response, we send the XACML authorization decision as a SAML statement placed in a SOAP 1.1 response.

 

NOTE:  If you are in need of a SOAP WSDL service for the PDP, refer to: http://community.jboss.org/wiki/XACMLPDPSOAPService

Steps to follow:

  1. Download the JBoss Identity stack from the project page (http://www.jboss.org/jbossidentity/)
  2. Create a web application and in its web.xml, you will need to configure the following servlet.
    <web-app xmlns="http://java.sun.com/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
       version="2.5">
       <context-param>
        <param-name>debug</param-name>
        <param-value>false</param-value>
       </context-param>
       <servlet>
         <servlet-name>SOAPServlet</servlet-name>
         <servlet-class>org.jboss.identity.federation.bindings.servlets.SOAPSAMLXACMLServlet</servlet-class>
         <init-param>
            <param-name>issuer</param-name>
            <param-value>redhatPdpEntity</param-value>
         </init-param>
         <init-param>
            <param-name>debug</param-name>
            <param-value>true</param-value>
         </init-param>
       </servlet>
       <servlet-mapping>
          <servlet-name>SOAPServlet</servlet-name>
          <url-pattern>/SOAPServlet</url-pattern>
       </servlet-mapping>
    </web-app>
    
  3. Then you should be able to send SOAP requests to http(colon)host(colon)port/(somecontext)/SOAPServlet

Configuration Options for the servlet:

The servlet takes few initial parameters that can be used for configuration:

  1. issuer  :  You can configure an issuer for all the decisions/statements sent back.
  2. debug :  true/false: to get more debug information.  Default: false.

XACML Policies

Under the WEB-INF/classes, create a policies directory and put all your policies theres.

Then create policyConfig.xml in WEB-INF/classes directory.  Let the file look as follows:

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
   <ns:Policies>
      <ns:PolicySet>
         <ns:Location>policies/mypolicy-policy.xml</ns:Location>
     </ns:PolicySet>
   </ns:Policies>
   <ns:Locators>
      <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator">
      </ns:Locator>
   </ns:Locators>
</ns:jbosspdp>

 

Here we have used the standard JBossXACML locator. We are referring to the main PolicySet packaged in the policies directory of WEB-INF/classes of web archive.  For more information, please refer to the JBossXACML guide.


API to make calls to XACML PDP

Users may have difficulty in creating soap messages, saml payload etc to make the XACML authorization request calls.  For this reason, starting 1.0.0.alpha5 of JBossIdentity stack, we have an API class to mitigate this pain.

Assumptions:

  1. You are familiar with JBossXACML API.
  2. You have JBossIdentity stack installed in JBoss AS or Tomcat.

 

The API is as follows:

import org.jboss.identity.federation.api.soap.SOAPSAMLXACML;
import org.jboss.identity.federation.api.soap.SOAPSAMLXACML.Result;


//Where your endpoint is located
String endpoint = "http://localhost:8080/test/SOAPServlet";

//If you want to name your issuer of SAML request
String issuer = "testIssuer";

//Create an XACML Request
RequestType xacmlRequest = getXACMLRequest(); //Look in example below
SOAPSAMLXACML soapSAMLXACML = new SOAPSAMLXACML();
         
Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
assertTrue("No fault", result.isFault() == false);
assertTrue("Decision available", result.isResponseAvailable());
assertTrue("Deny", result.isDeny());

 

Remember, in this use case we are talking to an unsecured PDP. If there is an http proxy or the PDP requires security, we will deal with that later (in our beta release probably).

 

Lets look at the signature of the Result class.

import org.jboss.identity.federation.org.xmlsoap.schemas.soap.envelope.Fault;
import org.jboss.security.xacml.core.model.context.DecisionType;

public class Result
{      
      public boolean isResponseAvailable()
      
      public boolean isFault()
      
      public DecisionType getDecision()
      
      public Fault getFault()
      
      public boolean isPermit()
      
      public boolean isDeny()
}

 

Let us look at a payload:

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
     <soap-env:Body>
          <xacml-samlp:XACMLAuthzDecisionQuery
               xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
               xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
               xacml-samlp:InputContextOnly="true" xacml-samlp:ReturnContext="true"
               ID="s22e30cf15f08e3da00d3837fcf5b6c8cf3fcc9e0f" Version="2.0"
               IssueInstant="2009-01-12T15:34:29Z">
               <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">vaPepEntity
               </saml:Issuer>
               <xacml-context:Request
                    xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
                    xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance/"
                    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
                    <xacml-context:Subject
                         SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
                         <xacml-context:Attribute
                              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>Doctor, Bob I</AttributeValue>
                         </xacml-context:Attribute>
                         <xacml-context:Attribute
                              AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>physician</AttributeValue>
                         </xacml-context:Attribute>
                         <xacml-context:Attribute
                              AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006
                              </AttributeValue>
                         </xacml-context:Attribute>
                         <xacml-context:Attribute
                              AttributeId="urn:oasis:names:tc:xacml:1.0:subject:locality"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>Facility A</AttributeValue>
                         </xacml-context:Attribute>
                    </xacml-context:Subject>
                    <xacml-context:Resource>
                         <xacml-context:Attribute
                              AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>
                                   urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record
                              </AttributeValue>
                         </xacml-context:Attribute>
                         <xacml-context:Attribute
                              AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
                              </AttributeValue>
                              <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
                              </AttributeValue>
                         </xacml-context:Attribute>
                         <xacml-context:Attribute
                              AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>MA</AttributeValue>
                         </xacml-context:Attribute>
                         <xacml-context:Attribute
                              AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>Doctor, Bob I</AttributeValue>
                         </xacml-context:Attribute>
                    </xacml-context:Resource>
                    <xacml-context:Action>
                         <xacml-context:Attribute
                              AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>read</AttributeValue>
                         </xacml-context:Attribute>
                    </xacml-context:Action>
                    <xacml-context:Environment>
                         <xacml-context:Attribute
                              AttributeId="urn:va:xacml:2.0:interop:rsa8:environment:locality"
                              DataType="http://www.w3.org/2001/XMLSchema#string">
                              <AttributeValue>Facility A</AttributeValue>
                         </xacml-context:Attribute>
                    </xacml-context:Environment>
               </xacml-context:Request>
          </xacml-samlp:XACMLAuthzDecisionQuery>
     </soap-env:Body>
</soap-env:Envelope>

 

This payload is from the HIMSS Technology Demonstration 2009 where JBoss participated.

 

Now let us look at the JUnit Test Case:

package org.jboss.test.identity.federation.bindings.util;

import java.util.ArrayList;
import java.util.List;

import org.jboss.identity.federation.api.soap.SOAPSAMLXACML;
import org.jboss.identity.federation.api.soap.SOAPSAMLXACML.Result;
import org.jboss.security.xacml.core.model.context.ActionType;
import org.jboss.security.xacml.core.model.context.AttributeType;
import org.jboss.security.xacml.core.model.context.AttributeValueType;
import org.jboss.security.xacml.core.model.context.EnvironmentType;
import org.jboss.security.xacml.core.model.context.RequestType;
import org.jboss.security.xacml.core.model.context.ResourceType;
import org.jboss.security.xacml.core.model.context.SubjectType;
import org.jboss.security.xacml.factories.RequestAttributeFactory;

import junit.framework.TestCase;

/**
 * Unit test the SOAP SAML XACML Unit Test
 * @author Anil Saldhana
 */
public class SOAPSAMLXACMLUnitTestCase
{
   //Change it to true when you have an end point running locally
   private boolean sendRequest = true;

   private String endpoint = "http://localhost:8080/pdp/SOAPSAMLXACMLPDP";

   private String issuer = "testIssuer";

   @Test
   public void testPermit() throws Exception
   {
      if(sendRequest)
      {
         //Create an XACML Request
         RequestType xacmlRequest = getXACMLRequest(true);
         SOAPSAMLXACML soapSAMLXACML = new SOAPSAMLXACML();

         Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
         assertTrue("No fault", result.isFault() == false);
         assertTrue("Decision available", result.isResponseAvailable());
         assertTrue("Permit", result.isPermit());
      }
   }

   @Test
   public void testDeny() throws Exception
   {
      if(sendRequest)
      {
         //Create an XACML Request
         RequestType xacmlRequest = getXACMLRequest(false);
         SOAPSAMLXACML soapSAMLXACML = new SOAPSAMLXACML();

         Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
         assertTrue("No fault", result.isFault() == false);
         assertTrue("Decision available", result.isResponseAvailable());
         assertTrue("Deny", result.isDeny());
      }

   }


   private RequestType getXACMLRequest( boolean permit)
   {
      RequestType requestType = new RequestType();
      requestType.getSubject().add(createSubject());
      requestType.getResource().add(createResource(permit));
      requestType.setAction(createAction());
      requestType.setEnvironment(createEnvironment(permit));
      return requestType;
   }

   private SubjectType createSubject()
   {
      //Create a subject type
      SubjectType subject = new SubjectType();
      subject.setSubjectCategory("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject");

      subject.getAttribute().addAll(getSubjectAttributes()); 

      return subject;
   }

   public ResourceType createResource(boolean permit)
   {  
      ResourceType resourceType = new ResourceType();

      AttributeType attResourceID = RequestAttributeFactory.createStringAttributeType(
            "urn:va:xacml:2.0:interop:rsa8:resource:hl7:type", issuer, 
            "urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record");

      //Create a multi-valued attribute - hl7 permissions
      AttributeType  multi = new AttributeType();
      multi.setAttributeId("urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission");
      multi.setDataType("http://www.w3.org/2001/XMLSchema#string");

      if (issuer != null)
         multi.setIssuer(issuer); 

      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-010"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-012"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-005"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-003"));


      AttributeType attConfidentialityCode = RequestAttributeFactory.createStringAttributeType(
            "urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code", issuer, 
            "MA");

      AttributeType attDissentedSubjectId = RequestAttributeFactory.createStringAttributeType(
            "urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id", issuer, 
            "Doctor, Bob I");

      //Add the attributes into the resource
      resourceType.getAttribute().add(attResourceID);
      resourceType.getAttribute().add(multi);

      if(!permit)
      resourceType.getAttribute().add(attConfidentialityCode);

      resourceType.getAttribute().add(attDissentedSubjectId);

      if(permit)
      {    
         AttributeType start = RequestAttributeFactory.createTimeAttributeType(
               "urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start",
               issuer, getXMLTime("00:00:00-08:00"));
         AttributeType end = RequestAttributeFactory.createTimeAttributeType(
               "urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end",
               issuer, getXMLTime("23:59:00-08:00"));
         resourceType.getAttribute().add(start);
         resourceType.getAttribute().add(end);
      }

      return resourceType;
   }

   private ActionType createAction()
   {
      ActionType actionType = new ActionType();
      AttributeType attActionID = RequestAttributeFactory.createStringAttributeType(
            "urn:oasis:names:tc:xacml:1.0:action:action-id", issuer, "read");
      actionType.getAttribute().add(attActionID);
      return actionType;
   }

   private List<AttributeType> getSubjectAttributes()
   {
      List<AttributeType> attrList = new ArrayList<AttributeType>();

      //create the subject attributes

      //SubjectID - Bob
      AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
            "urn:oasis:names:tc:xacml:1.0:subject:subject-id", issuer, "Doctor, Bob I"); 

      //Role - Physician      
      AttributeType attRole = RequestAttributeFactory.createStringAttributeType(
            "urn:va:xacml:2.0:interop:rsa8:subject:role", issuer, "Physician");


      //Create a multi-valued attribute - hl7 permissions
      AttributeType  multi = new AttributeType();
      multi.setAttributeId("urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission");
      multi.setDataType("http://www.w3.org/2001/XMLSchema#string");

      if (issuer != null)
         multi.setIssuer(issuer); 

      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-010"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-012"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-017"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-005"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-003"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-009"));
      multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-006"));


      //Locality
      AttributeType attLocality = RequestAttributeFactory.createStringAttributeType(
            "urn:oasis:names:tc:xacml:1.0:subject:locality", issuer, "Facility A"); 

      attrList.add(attSubjectID);
      attrList.add(attRole);
      attrList.add(multi); 

      attrList.add(attLocality);

      return attrList;
   }

   private EnvironmentType createEnvironment(boolean permit)
   {
      EnvironmentType env = new EnvironmentType();

      AttributeType attFacility = RequestAttributeFactory.createStringAttributeType(
            "urn:va:xacml:2.0:interop:rsa8:environment:locality", issuer, "Facility A"); 

      env.getAttribute().add(attFacility);

      if(permit)
      {

         AttributeType currentTime = RequestAttributeFactory.createTimeAttributeType(
               "urn:oasis:names:tc:xacml:1.0:environment:current-time",
               issuer, getXMLTime("12:59:00-08:00"));
         env.getAttribute().add(currentTime);
      }
      return env;
   }

   private AttributeValueType createAttributeValueType(String value)
   {
      AttributeValueType avt = new AttributeValueType();
      avt.getContent().add(value);
      return avt;
   }

   private XMLGregorianCalendar getXMLTime( String time)
   {
      DatatypeFactory dtf;
      try
      {
         dtf = DatatypeFactory.newInstance();
      }
      catch (DatatypeConfigurationException e)
      {
         throw new RuntimeException(e);
      }
      return  dtf.newXMLGregorianCalendar(time);
   }
}

 

Remember an XACML request always deals with a subject, resource, action and environment in its request context. You will need to have a fair understanding of XACML.

 

To get a PERMIT back from the PDP, we have added the hours of operation for start and end times to the resource section as well as the current time to the environment section.

 

 

Let us analyze the result of calling the PDP:

Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
assertTrue("No fault", result.isFault() == false);
assertTrue("Decision available", result.isResponseAvailable());
assertTrue("Deny", result.isDeny());

We are ensuring that there was no SOAP Fault returned from the PDP. The next check is to ensure that there is an XACML decision waiting for us and the result is DENY from the PDP.

XACML Policy Used in the test

In the WEB-INF/classes directory, I created a policies folder and had the xacml policy as himss-policy.xml

Please look at the attachment "himss-policies.tar" for the policy files that need to go inside the policies folder.

JBossXACML PolicyConfig in the test

policyConfig.xml was used in WEB-INF/classes

<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
   <ns:Policies>
      <ns:PolicySet>
         <ns:Location>policies/himss-policy.xml</ns:Location>
     </ns:PolicySet>
   </ns:Policies>
   <ns:Locators>
      <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator">
      </ns:Locator>
   </ns:Locators>
</ns:jbosspdp>

 

An XACML Request that should yield a PERMIT

 

<xacml-context:Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
    xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance/"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">

    <xacml-context:Subject
        SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xacml:2.0:subject:subject-id"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>Doctor,Bob
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>100035
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>codeSystem="1.2.840.1986.7"
                codeSystemName="ISO" displayName="MD/Allopath"
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:subject:functional_role"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>physician
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>Healthcare Treatment
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-017"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-003"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-012"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-005"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-010"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-006"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-009"
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>Healthcare Domain A
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
    </xacml-context:Subject>
    <xacml-context:Resource>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" 
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>
                urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start"
            DataType="http://www.w3.org/2001/XMLSchema#time">
            <xacml-context:AttributeValue>00:00:00-08:00</xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end"
            DataType="http://www.w3.org/2001/XMLSchema#time">
            <xacml-context:AttributeValue>23:59:00-08:00</xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>Healthcare Domain A
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>DoD Healthcare Domain A
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hl7:permission"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-003"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-005"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-010"
            </xacml-context:AttributeValue>
            <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                codeSystemName="HL7" displayName="PRD-012"
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:allowed-organizations"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>Healthcare Domain A
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>UBA</xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>100035
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>100035
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>100035
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>100035
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
    </xacml-context:Resource>
    <xacml-context:Action>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>Read</xacml-context:AttributeValue>
        </xacml-context:Attribute>
    </xacml-context:Action>
    <xacml-context:Environment>
        <xacml-context:Attribute
            AttributeId="urn:oasis:names:tc:xacml:2.0:resource:locality"
            DataType="http://www.w3.org/2001/XMLSchema#string">
            <xacml-context:AttributeValue>Healthcare Domain B
            </xacml-context:AttributeValue>
        </xacml-context:Attribute>
        <xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
               DataType="http://www.w3.org/2001/XMLSchema#time">
             <AttributeValue>12:59:00-08:00</AttributeValue>
        </xacml-context:Attribute>
    </xacml-context:Environment>
</xacml-context:Request>