SAML v2 and XACML v2 Integration

    Project:  PicketLink

     

    Since PicketLink project provides both SAML v2 and XACML v2 capabilities, there is support for XACML2 profile of SAMLv2 specification.

     

    ReferenceBlog Post   <===

    What is provided?

    As part of PicketLink, you are provided a servlet that can take in SOAP 1.1 requests that contain a SAML payload with XACML authorization decision request and as a response, we send the XACML authorization decision as a SAML statement placed in a SOAP 1.1 response.

     

    NOTE:  If you are in need of a SOAP WSDL service for the PDP, refer to: http://community.jboss.org/wiki/XACMLPDPSOAPService

    Steps to follow:

    1. Download the JBoss Identity stack from the project page (http://www.jboss.org/jbossidentity/)
    2. Create a web application and in its web.xml, you will need to configure the following servlet.
      <web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5">
         <context-param>
          <param-name>debug</param-name>
          <param-value>false</param-value>
         </context-param>
         <servlet>
           <servlet-name>SOAPServlet</servlet-name>
           <servlet-class>org.jboss.identity.federation.bindings.servlets.SOAPSAMLXACMLServlet</servlet-class>
           <init-param>
              <param-name>issuer</param-name>
              <param-value>redhatPdpEntity</param-value>
           </init-param>
           <init-param>
              <param-name>debug</param-name>
              <param-value>true</param-value>
           </init-param>
         </servlet>
         <servlet-mapping>
            <servlet-name>SOAPServlet</servlet-name>
            <url-pattern>/SOAPServlet</url-pattern>
         </servlet-mapping>
      </web-app>
      
    3. Then you should be able to send SOAP requests to http(colon)host(colon)port/(somecontext)/SOAPServlet

    Configuration Options for the servlet:

    The servlet takes few initial parameters that can be used for configuration:

    1. issuer  :  You can configure an issuer for all the decisions/statements sent back.
    2. debug :  true/false: to get more debug information.  Default: false.

    XACML Policies

    Under the WEB-INF/classes, create a policies directory and put all your policies theres.

    Then create policyConfig.xml in WEB-INF/classes directory.  Let the file look as follows:

    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
       <ns:Policies>
          <ns:PolicySet>
             <ns:Location>policies/mypolicy-policy.xml</ns:Location>
         </ns:PolicySet>
       </ns:Policies>
       <ns:Locators>
          <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator">
          </ns:Locator>
       </ns:Locators>
    </ns:jbosspdp>
    

     

    Here we have used the standard JBossXACML locator. We are referring to the main PolicySet packaged in the policies directory of WEB-INF/classes of web archive.  For more information, please refer to the JBossXACML guide.


    API to make calls to XACML PDP

    Users may have difficulty in creating soap messages, saml payload etc to make the XACML authorization request calls.  For this reason, starting 1.0.0.alpha5 of JBossIdentity stack, we have an API class to mitigate this pain.

    Assumptions:

    1. You are familiar with JBossXACML API.
    2. You have JBossIdentity stack installed in JBoss AS or Tomcat.

     

    The API is as follows:

    import org.jboss.identity.federation.api.soap.SOAPSAMLXACML;
    import org.jboss.identity.federation.api.soap.SOAPSAMLXACML.Result;
    
    
    //Where your endpoint is located
    String endpoint = "http://localhost:8080/test/SOAPServlet";
    
    //If you want to name your issuer of SAML request
    String issuer = "testIssuer";
    
    //Create an XACML Request
    RequestType xacmlRequest = getXACMLRequest(); //Look in example below
    SOAPSAMLXACML soapSAMLXACML = new SOAPSAMLXACML();
             
    Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
    assertTrue("No fault", result.isFault() == false);
    assertTrue("Decision available", result.isResponseAvailable());
    assertTrue("Deny", result.isDeny());
    

     

    Remember, in this use case we are talking to an unsecured PDP. If there is an http proxy or the PDP requires security, we will deal with that later (in our beta release probably).

     

    Lets look at the signature of the Result class.

    import org.jboss.identity.federation.org.xmlsoap.schemas.soap.envelope.Fault;
    import org.jboss.security.xacml.core.model.context.DecisionType;
    
    public class Result
    {      
          public boolean isResponseAvailable()
          
          public boolean isFault()
          
          public DecisionType getDecision()
          
          public Fault getFault()
          
          public boolean isPermit()
          
          public boolean isDeny()
    }
    

     

    Let us look at a payload:

    <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
         <soap-env:Body>
              <xacml-samlp:XACMLAuthzDecisionQuery
                   xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
                   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                   xacml-samlp:InputContextOnly="true" xacml-samlp:ReturnContext="true"
                   ID="s22e30cf15f08e3da00d3837fcf5b6c8cf3fcc9e0f" Version="2.0"
                   IssueInstant="2009-01-12T15:34:29Z">
                   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">vaPepEntity
                   </saml:Issuer>
                   <xacml-context:Request
                        xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
                        xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance/"
                        xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
                        <xacml-context:Subject
                             SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
                             <xacml-context:Attribute
                                  AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>Doctor, Bob I</AttributeValue>
                             </xacml-context:Attribute>
                             <xacml-context:Attribute
                                  AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>physician</AttributeValue>
                             </xacml-context:Attribute>
                             <xacml-context:Attribute
                                  AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006
                                  </AttributeValue>
                             </xacml-context:Attribute>
                             <xacml-context:Attribute
                                  AttributeId="urn:oasis:names:tc:xacml:1.0:subject:locality"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>Facility A</AttributeValue>
                             </xacml-context:Attribute>
                        </xacml-context:Subject>
                        <xacml-context:Resource>
                             <xacml-context:Attribute
                                  AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>
                                       urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record
                                  </AttributeValue>
                             </xacml-context:Attribute>
                             <xacml-context:Attribute
                                  AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
                                  </AttributeValue>
                                  <AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
                                  </AttributeValue>
                             </xacml-context:Attribute>
                             <xacml-context:Attribute
                                  AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>MA</AttributeValue>
                             </xacml-context:Attribute>
                             <xacml-context:Attribute
                                  AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>Doctor, Bob I</AttributeValue>
                             </xacml-context:Attribute>
                        </xacml-context:Resource>
                        <xacml-context:Action>
                             <xacml-context:Attribute
                                  AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>read</AttributeValue>
                             </xacml-context:Attribute>
                        </xacml-context:Action>
                        <xacml-context:Environment>
                             <xacml-context:Attribute
                                  AttributeId="urn:va:xacml:2.0:interop:rsa8:environment:locality"
                                  DataType="http://www.w3.org/2001/XMLSchema#string">
                                  <AttributeValue>Facility A</AttributeValue>
                             </xacml-context:Attribute>
                        </xacml-context:Environment>
                   </xacml-context:Request>
              </xacml-samlp:XACMLAuthzDecisionQuery>
         </soap-env:Body>
    </soap-env:Envelope>
    

     

    This payload is from the HIMSS Technology Demonstration 2009 where JBoss participated.

     

    Now let us look at the JUnit Test Case:

    package org.jboss.test.identity.federation.bindings.util;
    
    import java.util.ArrayList;
    import java.util.List;
    
    import org.jboss.identity.federation.api.soap.SOAPSAMLXACML;
    import org.jboss.identity.federation.api.soap.SOAPSAMLXACML.Result;
    import org.jboss.security.xacml.core.model.context.ActionType;
    import org.jboss.security.xacml.core.model.context.AttributeType;
    import org.jboss.security.xacml.core.model.context.AttributeValueType;
    import org.jboss.security.xacml.core.model.context.EnvironmentType;
    import org.jboss.security.xacml.core.model.context.RequestType;
    import org.jboss.security.xacml.core.model.context.ResourceType;
    import org.jboss.security.xacml.core.model.context.SubjectType;
    import org.jboss.security.xacml.factories.RequestAttributeFactory;
    
    import junit.framework.TestCase;
    
    /**
     * Unit test the SOAP SAML XACML Unit Test
     * @author Anil Saldhana
     */
    public class SOAPSAMLXACMLUnitTestCase
    {
       //Change it to true when you have an end point running locally
       private boolean sendRequest = true;
    
       private String endpoint = "http://localhost:8080/pdp/SOAPSAMLXACMLPDP";
    
       private String issuer = "testIssuer";
    
       @Test
       public void testPermit() throws Exception
       {
          if(sendRequest)
          {
             //Create an XACML Request
             RequestType xacmlRequest = getXACMLRequest(true);
             SOAPSAMLXACML soapSAMLXACML = new SOAPSAMLXACML();
    
             Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
             assertTrue("No fault", result.isFault() == false);
             assertTrue("Decision available", result.isResponseAvailable());
             assertTrue("Permit", result.isPermit());
          }
       }
    
       @Test
       public void testDeny() throws Exception
       {
          if(sendRequest)
          {
             //Create an XACML Request
             RequestType xacmlRequest = getXACMLRequest(false);
             SOAPSAMLXACML soapSAMLXACML = new SOAPSAMLXACML();
    
             Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
             assertTrue("No fault", result.isFault() == false);
             assertTrue("Decision available", result.isResponseAvailable());
             assertTrue("Deny", result.isDeny());
          }
    
       }
    
    
       private RequestType getXACMLRequest( boolean permit)
       {
          RequestType requestType = new RequestType();
          requestType.getSubject().add(createSubject());
          requestType.getResource().add(createResource(permit));
          requestType.setAction(createAction());
          requestType.setEnvironment(createEnvironment(permit));
          return requestType;
       }
    
       private SubjectType createSubject()
       {
          //Create a subject type
          SubjectType subject = new SubjectType();
          subject.setSubjectCategory("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject");
    
          subject.getAttribute().addAll(getSubjectAttributes()); 
    
          return subject;
       }
    
       public ResourceType createResource(boolean permit)
       {  
          ResourceType resourceType = new ResourceType();
    
          AttributeType attResourceID = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:resource:hl7:type", issuer, 
                "urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record");
    
          //Create a multi-valued attribute - hl7 permissions
          AttributeType  multi = new AttributeType();
          multi.setAttributeId("urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission");
          multi.setDataType("http://www.w3.org/2001/XMLSchema#string");
    
          if (issuer != null)
             multi.setIssuer(issuer); 
    
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-010"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-012"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-005"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-003"));
    
    
          AttributeType attConfidentialityCode = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code", issuer, 
                "MA");
    
          AttributeType attDissentedSubjectId = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id", issuer, 
                "Doctor, Bob I");
    
          //Add the attributes into the resource
          resourceType.getAttribute().add(attResourceID);
          resourceType.getAttribute().add(multi);
    
          if(!permit)
          resourceType.getAttribute().add(attConfidentialityCode);
    
          resourceType.getAttribute().add(attDissentedSubjectId);
    
          if(permit)
          {    
             AttributeType start = RequestAttributeFactory.createTimeAttributeType(
                   "urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start",
                   issuer, getXMLTime("00:00:00-08:00"));
             AttributeType end = RequestAttributeFactory.createTimeAttributeType(
                   "urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end",
                   issuer, getXMLTime("23:59:00-08:00"));
             resourceType.getAttribute().add(start);
             resourceType.getAttribute().add(end);
          }
    
          return resourceType;
       }
    
       private ActionType createAction()
       {
          ActionType actionType = new ActionType();
          AttributeType attActionID = RequestAttributeFactory.createStringAttributeType(
                "urn:oasis:names:tc:xacml:1.0:action:action-id", issuer, "read");
          actionType.getAttribute().add(attActionID);
          return actionType;
       }
    
       private List<AttributeType> getSubjectAttributes()
       {
          List<AttributeType> attrList = new ArrayList<AttributeType>();
    
          //create the subject attributes
    
          //SubjectID - Bob
          AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
                "urn:oasis:names:tc:xacml:1.0:subject:subject-id", issuer, "Doctor, Bob I"); 
    
          //Role - Physician      
          AttributeType attRole = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:subject:role", issuer, "Physician");
    
    
          //Create a multi-valued attribute - hl7 permissions
          AttributeType  multi = new AttributeType();
          multi.setAttributeId("urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission");
          multi.setDataType("http://www.w3.org/2001/XMLSchema#string");
    
          if (issuer != null)
             multi.setIssuer(issuer); 
    
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-010"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-012"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-017"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-005"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-003"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-009"));
          multi.getAttributeValue().add(createAttributeValueType("urn:va:xacml:2.0:interop:rsa8:hl7:prd-006"));
    
    
          //Locality
          AttributeType attLocality = RequestAttributeFactory.createStringAttributeType(
                "urn:oasis:names:tc:xacml:1.0:subject:locality", issuer, "Facility A"); 
    
          attrList.add(attSubjectID);
          attrList.add(attRole);
          attrList.add(multi); 
    
          attrList.add(attLocality);
    
          return attrList;
       }
    
       private EnvironmentType createEnvironment(boolean permit)
       {
          EnvironmentType env = new EnvironmentType();
    
          AttributeType attFacility = RequestAttributeFactory.createStringAttributeType(
                "urn:va:xacml:2.0:interop:rsa8:environment:locality", issuer, "Facility A"); 
    
          env.getAttribute().add(attFacility);
    
          if(permit)
          {
    
             AttributeType currentTime = RequestAttributeFactory.createTimeAttributeType(
                   "urn:oasis:names:tc:xacml:1.0:environment:current-time",
                   issuer, getXMLTime("12:59:00-08:00"));
             env.getAttribute().add(currentTime);
          }
          return env;
       }
    
       private AttributeValueType createAttributeValueType(String value)
       {
          AttributeValueType avt = new AttributeValueType();
          avt.getContent().add(value);
          return avt;
       }
    
       private XMLGregorianCalendar getXMLTime( String time)
       {
          DatatypeFactory dtf;
          try
          {
             dtf = DatatypeFactory.newInstance();
          }
          catch (DatatypeConfigurationException e)
          {
             throw new RuntimeException(e);
          }
          return  dtf.newXMLGregorianCalendar(time);
       }
    }
    
    

     

    Remember an XACML request always deals with a subject, resource, action and environment in its request context. You will need to have a fair understanding of XACML.

     

    To get a PERMIT back from the PDP, we have added the hours of operation for start and end times to the resource section as well as the current time to the environment section.

     

     

    Let us analyze the result of calling the PDP:

    Result result = soapSAMLXACML.send(endpoint, issuer, xacmlRequest);
    assertTrue("No fault", result.isFault() == false);
    assertTrue("Decision available", result.isResponseAvailable());
    assertTrue("Deny", result.isDeny());
    

    We are ensuring that there was no SOAP Fault returned from the PDP. The next check is to ensure that there is an XACML decision waiting for us and the result is DENY from the PDP.

    XACML Policy Used in the test

    In the WEB-INF/classes directory, I created a policies folder and had the xacml policy as himss-policy.xml

    Please look at the attachment "himss-policies.tar" for the policy files that need to go inside the policies folder.

    JBossXACML PolicyConfig in the test

    policyConfig.xml was used in WEB-INF/classes

    <ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
       <ns:Policies>
          <ns:PolicySet>
             <ns:Location>policies/himss-policy.xml</ns:Location>
         </ns:PolicySet>
       </ns:Policies>
       <ns:Locators>
          <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator">
          </ns:Locator>
       </ns:Locators>
    </ns:jbosspdp>
    

     

    An XACML Request that should yield a PERMIT

     

    <xacml-context:Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
        xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance/"
        xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
    
        <xacml-context:Subject
            SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xacml:2.0:subject:subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>Doctor,Bob
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>100035
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>codeSystem="1.2.840.1986.7"
                    codeSystemName="ISO" displayName="MD/Allopath"
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:subject:functional_role"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>physician
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>Healthcare Treatment
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-017"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-003"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-012"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-005"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-010"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-006"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-009"
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>Healthcare Domain A
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
        </xacml-context:Subject>
        <xacml-context:Resource>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" 
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>
                    urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start"
                DataType="http://www.w3.org/2001/XMLSchema#time">
                <xacml-context:AttributeValue>00:00:00-08:00</xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end"
                DataType="http://www.w3.org/2001/XMLSchema#time">
                <xacml-context:AttributeValue>23:59:00-08:00</xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>Healthcare Domain A
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>DoD Healthcare Domain A
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hl7:permission"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-003"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-005"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-010"
                </xacml-context:AttributeValue>
                <xacml-context:AttributeValue>codeSystem="2.16.840.1.113883.13.27"
                    codeSystemName="HL7" displayName="PRD-012"
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:allowed-organizations"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>Healthcare Domain A
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>UBA</xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>100035
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>100035
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>100035
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>100035
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
        </xacml-context:Resource>
        <xacml-context:Action>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>Read</xacml-context:AttributeValue>
            </xacml-context:Attribute>
        </xacml-context:Action>
        <xacml-context:Environment>
            <xacml-context:Attribute
                AttributeId="urn:oasis:names:tc:xacml:2.0:resource:locality"
                DataType="http://www.w3.org/2001/XMLSchema#string">
                <xacml-context:AttributeValue>Healthcare Domain B
                </xacml-context:AttributeValue>
            </xacml-context:Attribute>
            <xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
                   DataType="http://www.w3.org/2001/XMLSchema#time">
                 <AttributeValue>12:59:00-08:00</AttributeValue>
            </xacml-context:Attribute>
        </xacml-context:Environment>
    </xacml-context:Request>