External Validation Service Front-end

Information

File Name: XUA-_98491d60-d3f2-44a0-a4e3-1a202655ae9d.xml
OID :: 1.1.1.1.1.1.4.48349
Validation Date :: 9/5/25 11:46:01 AM (CEST GMT+0200)
Assertions - Validator (7.2.2): eHDSI SAML - NoK Identity Assertion - Wave 8 (V8.0.1) (Unknown)
Validation Results :: DONE_FAILED
Permanent link :: https://qualif2.ihe.kereval.cloud/evs/report.seam?oid=1.1.1.1.1.1.4.48349
Data Visibility :: Public

↓

$type Validation Report

Well-formednessPASSED

The document you have validated is supposed to be a well-formed document. The validator has checked if it is well-formed, results of this validation are gathered in this section.

The document is well-formed

Schema Validation detailed ResultPASSED

Your document has been validated with the appropriate schema, here is the detail of the validation outcome.

The document is valid regarding the schema

Gazelle Objects Checker validator resultsFAILED

Summary of checks: 2

2

27

Test: ehdsi_AuthnContextE - 1
Location: /Assertion
Description: The Reference to the HCP authentication method element AuthnContextClassRef of the element 'AuthnContext' is required and shall be set to 'urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession'.

Test: ehdsi_NextOfKin_IdentifiersE - 2
Location: /Assertion
Description: eHDSI Next of Kin Identifiers attributes is mandatory in a Next of Kin Identity Assertion

Test: consNPII - 1
Location: /Assertion/AttributeStatement[0]
Description: The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a National Provider Identifier (NPI) attribute (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: consSubjectOrganizationI - 2
Location: /Assertion/AttributeStatement[0]
Description: The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with an Subject Organization attribute (ITI TF Vol2b, 3.40.4.1.2).[ Assertion... ]

Test: ehdsi_PurposeOfUseR - 1
Location: /Assertion
Description: The XSPA Purpose Of Use element Attribute/@FriendlyName=XSPA Purpose Of Use is optional. Element Code shall be set to one of those values : “TREATMENT”, “EMERGENCY”. Element CodeSystem must be 3bc18518-d305-46c2-a8d6-94bd59856e9e and codeSystemName must be eHDSI PurposeofUse”.

Test: ehdsi_AudienceRestrictionR - 2
Location: /Assertion
Description: The Audience role element shall be set to 'urn:ehdsi:assertions.audience:x-border'

Test: ehdsi_ConditionsR - 3
Location: /Assertion
Description: Assertion Conditions element is required.

Test: ehdsi_IssuerR - 4
Location: /Assertion
Description: Issuer format shall conform to URI

Test: ehdsi_NameIDR - 5
Location: /Assertion
Description: The Identifier of the HCP NameID element is required. It shall be encoded as an X.509 subject name if the 'Format' is 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName', or as an e-Mail address if the 'Format' is 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', or as a string value (unspecified format) if 'Format' is 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'.

Test: ehdsi_NotOnOrAfterR - 6
Location: /Assertion
Description: The attribute '@NotOnOrAfter' of the element 'Conditions' is required

Test: ehdsi_SignatureR - 7
Location: /Assertion
Description: Assertion Signature element is required.

Test: ehdsi_Signature_CanonicalizationMethodR - 8
Location: /Assertion
Description: The element SignedInfo/CanonicalizationMethod is required and his attribute '@Algorithm' shall be set to 'http://www.w3.org/2001/10/xml-exc-c14n#' or 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments'.

Test: ehdsi_Signature_DigestMethodR - 9
Location: /Assertion
Description: The hash algorithm MUST comply with the eHDSI recommendations on algorithms and key lengths. For signing assertions the digest methodmethod http://www.w3.org/2000/09/xmldsig#sha1 or http://www.w3.org/2001/04/xmlenc#sha256 shall be used. A country MAY reject SHA-1 digests.

Test: ehdsi_Signature_KeyInfoR - 10
Location: /Assertion
Description: The element KeyInfo is required and shall either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer.

Test: ehdsi_Signature_SignatureMethodR - 11
Location: /Assertion
Description: The signature method MUST comply with the eHDSI recommendations on algorithms and key lengths. For signing assertions the signature method http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” or http://www.w3.org/2000/09/xmldsig#rsa-sha1 shall be used. A country MAY reject signatures that use SHA-1 for digesting.

Test: ehdsi_Signature_TransformR - 12
Location: /Assertion
Description: Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (“http://www.w3.org/2000/09/xmldsig#enveloped-signature”). In addition, exclusive canonicalization SHOULD be defined as transformation (('http://www.w3.org/2001/10/xml-exc-c14n#' or 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments')

Test: ehdsi_SubjectConfirmationR - 13
Location: /Assertion
Description: The attribute 'Format' of the element SubjectConfirmation shall be set to the value 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'.

Test: ehdsi_VersionR - 14
Location: /Assertion
Description: Assertion 'Version' attribute is required and need to be set to the value '2.0'.

Test: ehdsi_XSPA_SubjectR - 15
Location: /Assertion
Description: The XSPA subject element Attribute/@FriendlyName=XSPA subject is required and it shall contain the full name of the HCP, and the attribute '@Name' shall be set to 'urn:oasis:names:tc:xspa:1.0:subject:subject-id'.

Test: consAttrStatementR - 16
Location: /Assertion
Description: The Assertion may contain other statements (e.g. Attributes) (ITI TF 3.40.4.1.2)[ Assertion... ]

Test: consAuthnStatementR - 17
Location: /Assertion
Description: Assertion SHALL contain AuthnStatement with AuthnContextClassRef or AuthnContextDeclRef (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: conssubjectR - 18
Location: /Assertion
Description: Assertion SHALL have a Subject (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: conssubjconfR - 19
Location: /Assertion/Subject
Description: Subject SHALL have SubjectConfirmation element (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: consAudienceRestR - 20
Location: /Assertion/Conditions
Description: Conditions SHALL contain an AudienceRestriction containing an Audience (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: consOneTimeUseR - 21
Location: /Assertion/Conditions
Description: An X-Service User may ignore a OneTimeUse condition. (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: consProxyRestrictionR - 22
Location: /Assertion/Conditions
Description: An X-Service User may ignore a ProxyRestriction condition. (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: consnotbeforeR - 23
Location: /Assertion/Conditions
Description: NotBefore attribute SHALL be populated (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: consHomeCommunityIdR - 24
Location: /Assertion/AttributeStatement[0]
Description: The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a Home Community ID attribute (ITI TF Vol2b, 3.40.4.1.2).[ Assertion... ]

Test: consOrganizationIDR - 25
Location: /Assertion/AttributeStatement[0]
Description: The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a Organization ID attribute (ITI TF Vol2b, 3.40.4.1.2).[ Assertion... ]

Test: consSubjectIdR - 26
Location: /Assertion/AttributeStatement[0]
Description: The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a Subject ID attribute. (ITI TF Vol2b, 3.40.4.1.2)[ Assertion... ]

Test: consValueOIDR - 27
Location: /Assertion/AttributeStatement[0]/Attribute[2]
Description: The value shall be the Home Community ID (an Object Identifier) assigned to the Community that is initiating the request, using the urn format (that is, urn:oid appended with the OID). (ITI TF Vol2b,, 3.40.4.1.2) (ITI TF Vol2b,[ Assertion... ]

File Content

↓

Prettify content

View lines numbers

The following content has been modified for better visualization. Validation will be performed on original content
1	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_98491d60-d3f2-44a0-a4e3-1a202655ae9d" IssueInstant="2025-09-03T08:14:48.823Z" Version="2.0">
2	<saml2:Issuer NameQualifier="urn:ehdsi:assertions:hcp">urn:idp:ES:countryB</saml2:Issuer>
3	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
4	<ds:SignedInfo>
5	<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
6	<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
7	<ds:Reference URI="#_98491d60-d3f2-44a0-a4e3-1a202655ae9d">
8	<ds:Transforms>
9	<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
10	<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
11	<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd"/>
12	</ds:Transform>
13	</ds:Transforms>
14	<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
15	<ds:DigestValue>bbXmMCN6oXUp4wb9sFI4s9tG3s9tx7A4rNX5kGx/jWo=</ds:DigestValue>
16	</ds:Reference>
17	</ds:SignedInfo>
18	<ds:SignatureValue>2TUBIQ3ICiL1Rpld/TtqLnPHUwSuwevND+/qD4uNKAFmFYr8UTsX7Dr9bn6XCX3/dzkiza67rVmywuQKYSQ4n+lFU2Nh+OZPQG2KgaP9BLzEbgevSMtodFtqJ7HvivFRPNX5ZsQHq8DZzcPfL/Zcodp25ItJuv6xYpEwyL6s3Vkp0y8vTflli8Tmm8JoK9dbe0PfOCLJ/GQZ7gGWN+NvwqzZhAn12EnMb/wEkoZOUVCo9KMjXmf6olXXY98pQAiky90UpLbj+klU6K1AGtzyWNYiM5wGbnoWR6LIj3Xp0D4gQ5BWWdhsz8CWwUWqmmcVTZLoB6d0U8x/C9jwOiuQMQ==</ds:SignatureValue>
19	<ds:KeyInfo>
20	<ds:X509Data>
21	<ds:X509Certificate>MIIGYDCCBEigAwIBAgIMGW0UqOud11ne5USRMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSgwJgYDVQQDEx9HbG9iYWxTaWduIEdDQyBSNiBTTUlNRSBDQSAyMDIzMB4XDTI1MDgyMDA5MTI0N1oXDTI3MDgyMTA5MTI0N1owgaUxCzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQxDzANBgNVBAcTBk1hZHJpZDEOMAwGA1UEYRMFR09WRVMxHjAcBgNVBAoTFU1pbmlzdGVyaW8gZGUgU2FuaWRhZDEeMBwGA1UEAxMVTWluaXN0ZXJpbyBkZSBTYW5pZGFkMSQwIgYJKoZIhvcNAQkBFhVkZ3Nkc2lAc2FuaWRhZC5nb2IuZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpDLXQcr6/e3jpAlgghe8xcg0jMyZMQTWNU3jsOPF4vhct9XA/UKtPGmh2WJ/qR0BO8Hb7NxFym334xH5OQ7o9kjLQFwv/zHO0xWmuv6lwQq/Ymw4QaJxJt0RA4vVCDYntieGu1IMkc+cyXpwVE/uQuLOXjkvHfKSkrowIOuReUzTp36LjQYby+gS3HnIw0eo1Rnq+js4lYE1iJrgGC3wrKhMyCSIyG0PgF9FsN25w+1b+nGi5jbmKKXxYYQEzHFLDtNcusbANS2FKAsIFU8hCbHeyU/2hG4BKB8RUyMSFpIxl8Xy0AoyuzNDm/ORM8MJU4LMqv+KBWINgJQIYYlZ5AgMBAAGjggHgMIIB3DAOBgNVHQ8BAf8EBAMCBaAwgZMGCCsGAQUFBwEBBIGGMIGDMEYGCCsGAQUFBzAChjpodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I2c21pbWVjYTIwMjMuY3J0MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I2c21pbWVjYTIwMjMwZQYDVR0gBF4wXDAJBgdngQwBBQICMAsGCSsGAQQBoDIBKDBCBgorBgEEAaAyCgMBMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2djY3I2c21pbWVjYTIwMjMuY3JsMCAGA1UdEQQZMBeBFWRnc2RzaUBzYW5pZGFkLmdvYi5lczAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHwYDVR0jBBgwFoAUACk2nlx6ug+vLVAt26AjhRiwoJIwHQYDVR0OBBYEFCeIK22GukVOXmB8A9veRspGKUtGMA0GCSqGSIb3DQEBCwUAA4ICAQCVFv7CV/WWG1pVWuY/8ze/5b5NvwZssjxvJssDc3L/EUX3O9HCokM7ua73afOGhqBpbsRprnTssn2TCZZO+a9yHCiPUqSpsFyM0Ytgi9Y+TNQT/RIJ7O7W6KZDDXjsT4fZstG9cL5DlComVfARpSdwyUtuLveXIE/u4iV/8nnjieH9XEls9J63JpzkuszRw8vPieKX5aZDrZgXl35mjSXaBRrpwcLQC56UtmYXWU228CXKNjUBtBok7YVD5ieNkMZMDryah9T5GomQy3TOjA+JjbOolQdva72m+EwD9sUDS8o8o6l6QD0d9yf8Sjc23NvlgJvrLwjgBV7ivR2LdSzJivL0ASi5iO1k30SxJPYYMqgnRllTQoGJHHbw8VHp8xNCYOPDZNcUB4RHtNcN0snd/KudFAFcIqiIvAP4A8AiltLRoVJ+E/DOFEjy9q6QJFWnCUUyYxcWOHjkxdnm67qkO9K/CwAkEbkwY2Y51+vxqMwFuRwJBjF2/a6UYsNa6s05PJ4uERmXt3YMqS2+ZjS8WBAN9AqRKFce5r5oFAZFfhIs6BRCxklCr5y33rj7cgDtICejXtgJk+ezDkzYVRE3lOzWO2FdCpwXRFFzB5npl3vPcvas1+V1zRiPDEjPyYfAJBzFlV9XpKGqeMwXObWoODsAWu+hPdSGjfBwTaRg7A==</ds:X509Certificate>
22	</ds:X509Data>
23	</ds:KeyInfo>
24	</ds:Signature>
25	<saml2:Subject>
26	<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAENZ LASARTE OIHANA - 44642377K, SURNAME=SAENZ LASARTE, GIVENNAME=OIHANA, SERIALNUMBER=IDCES-44642377K, C=ES</saml2:NameID>
27	<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
28	</saml2:Subject>
29	<saml2:Conditions NotBefore="2025-09-03T08:14:48.823Z" NotOnOrAfter="2025-09-03T12:14:48.823Z">
30	<saml2:AudienceRestriction>
31	<saml2:Audience>urn:ehdsi:assertions.audience:x-border</saml2:Audience>
32	</saml2:AudienceRestriction>
33	</saml2:Conditions>
34	<saml2:AuthnStatement AuthnInstant="2025-09-03T08:14:48.823Z" SessionNotOnOrAfter="2025-09-03T09:04:48.823Z">
35	<saml2:AuthnContext>
36	<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
37	</saml2:AuthnContext>
38	</saml2:AuthnStatement>
39	<saml2:AttributeStatement>
40	<saml2:Attribute FriendlyName="XSPA Subject" Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
41	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Sáenz Lasarte, Oihana</saml2:AttributeValue>
42	</saml2:Attribute>
43	<saml2:Attribute FriendlyName="XSPA Role" Name="urn:oasis:names:tc:xacml:2.0:subject:role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
44	<saml2:AttributeValue>
45	<Role xmlns="urn:hl7-org:v3" code="2262" codeSystem="2.16.840.1.113883.2.9.6.2.7" codeSystemName="ISCO" displayName="Pharmacists"/>
46	</saml2:AttributeValue>
47	</saml2:Attribute>
48	<saml2:Attribute FriendlyName="HCI Identifier" Name="urn:ihe:iti:xca:2010:homeCommunityId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
49	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oid:2.16.724.4.15</saml2:AttributeValue>
50	</saml2:Attribute>
51	<saml2:Attribute FriendlyName="XSPA Organization ID" Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
52	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:hl7ii:2.16.724.4.21.5.10:1234567890</saml2:AttributeValue>
53	</saml2:Attribute>
54	<saml2:Attribute FriendlyName="eHealth DSI Healthcare Facility Type" Name="urn:ehdsi:names:subject:healthcare-facility-type" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
55	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Pharmacy</saml2:AttributeValue>
56	</saml2:Attribute>
57	<saml2:Attribute FriendlyName="XSPA Purpose Of Use" Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
58	<saml2:AttributeValue>
59	<PurposeOfUse xmlns="urn:hl7-org:v3" code="TREATMENT" codeSystem="3bc18518-d305-46c2-a8d6-94bd59856e9e" codeSystemName="eHDSI PurposeofUse"/>
60	</saml2:AttributeValue>
61	</saml2:Attribute>
62	<saml2:Attribute FriendlyName="XSPA Locality" Name="urn:oasis:names:tc:xspa:1.0:environment:locality" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
63	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Farmacia Pruebas Navarra (PRE)</saml2:AttributeValue>
64	</saml2:Attribute>
65	<saml2:Attribute FriendlyName="Hl7 Permissions" Name="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
66	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-004</saml2:AttributeValue>
67	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-006</saml2:AttributeValue>
68	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PRD-010</saml2:AttributeValue>
69	<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oasis:names:tc:xspa:1.0:subject:hl7:permission:PPD-046</saml2:AttributeValue>
70	</saml2:Attribute>
71	</saml2:AttributeStatement>
72	</saml2:Assertion>

Validation result

Information

Well-formednessPASSED

Schema Validation detailed ResultPASSED

Gazelle Objects Checker validator resultsFAILED

File Content