$TXT Created by at DEVCRN.DOMAIN.EXT (KIDS) on Monday, 12/21/20 at 13:54 ============================================================================= Run Date: FEB 02, 2021 Designation: XU*8*731 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #584 Status: Released Compliance Date: APR 12, 2021 ============================================================================= Associated patches: (v)XU*8*701 <<= must be installed BEFORE `XU*8*731' Subject: PREVENT DUPLICATE VISITOR RECORDS Category: - Routine - Enhancement (Mandatory) Description: ============ ***NOTE: If your system is a "VistA-like" system, you will need to log a SNOW ticket to get assistance with getting the Web Service pieces setup as they were exported initially in a non-Kernel patch. Without the web service setup you will not be able to utilize the Personal Identification Verification (PIV) sign on to its full extent.*** This patch makes modifications to Vista Kernel Security and Visitor Security, when processing Security Assertion Marl-up Language (SAML) token credentials used by registered remote applications. It adds an interaction with the VA Master Person Index (VA MPI) to ensure the authenticated user's identity is distinct and will not create a duplicate visitor account for the user. The changes will also benefit in the effort to link user's PIV card to their VistA accounts if the account hasn't already been linked. Problem 1: Duplicate visitor accounts are being created when using SecID Remote applications like Joint Legacy Viewer (JLV), which relied on the Broker's Enhanced Security (BSE), have replaced their use of BSE tokens with the more secure Identity and Access Management (IAM) SAML tokens (SSOi, etc.) used by VistA Kernel Security. Unfortunately, these two tokens use different identifiers: - BSE tokens carry a Social Security Number (SSN) value, but no SecID value. - IAM SAML tokens carry a SecID value but no SSN value. The use of the more secure IAM token has caused a duplicate visitor account to be created in certain conditions, and the SecID value is being assigned to the visitor account instead of the regular account. This in turn creates future problems when the user attempts to use applications like the Computerized Patient Record System (CPRS) and their PIV card authentication is incorrectly matched to the visitor account. Solution 1: Changes were made in the Visitor logic to add an interaction with the MPI (Master Person Index) to obtain the necessary mapping from SecID to SSN value and ensure the authenticated user's identity are distinct and will not create a duplicate visitor account for the user. This also ensures that the SecID value is linked to a regular account if it already exists. Problem 2: Unlinked Accounts Many existing VistA users haven't linked their PIV card to their VistA user account. This causes users to always fail PIV card authentication and unnecessarily be prompted for their access and verify codes. The problem worsens if those users also use remote applications like JLV which are now using IAM SAML tokens and the SecID is incorrectly assigned to a new visitor account instead of the user's regular account. Solution 2: VistA user accounts can be linked when using their PIV card and when using Remote applications like JLV which are now using PIV card authentication and are also using the corresponding IAM SAML token which carries the necessary SecID value to link the account. This solution depends on Solution 1 above. Patch Components ================ Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File # New/Modified/Deleted --------- ------ -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted --------------------------- -------------------- N/A Additional Information: Blood Bank Team Coordination ---------------------------- EFFECT ON BLOOD BANK FUNCTIONAL REQUIREMENTS: Patch XU*8.0*731 contains changes to a package referenced in Process Asset Library standard titled: BBM Team Review of VistA Patches. This patch does not alter or modify any VistA Blood Bank software design safeguards or safety critical elements functions. RISK ANALYSIS: Changes made by patch XU*8.0*731 have no adverse effect on Blood Bank software functionality, therefore RISK is none. New Service Requests (NSRs) ---------------------------- N/A Patient Safety Issues (PSIs) ----------------------------- N/A Defect Tracking System Ticket(s) & Overview ------------------------------------------- N/A Test Sites: ----------- TOGUS VAMC (Augusta, ME) UPSTATE NY HCS (Albany, NY) Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released in a PackMan message. Documentation describing the new functionality is not included in this release. Documentation Title File Name ------------------------------------------------------------------ N/A Patch Installation: Pre/Post Installation Overview ------------------------------ There are no Pre/Post installation routine processes. Pre-Installation Instructions ----------------------------- This patch takes less than a minute to install. This patch may be installed with users on the system and the installation may be queued. Installation Instructions ------------------------- 1. Choose the PackMan message containing this build. Then select the INSTALL/CHECK MESSAGE PackMan option to load the build. 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch or build name. (ex. XU*8.0*731) NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message of any routines exported with this patch. It will not backup any other changes such as DDs or templates. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO. Post-Installation Instructions ------------------------------ N/A Back-Out Plan ------------- This patch ONLY contains routine changes. In the event that it is determined that this patch should be backed out, the site should restore the routines from the backup. One routine is new (XUIAMXML) and would be deleted and one is existing and would be restored from the backup. If the site requires further assistance, the site should submit a ServiceNow (SNOW) ticket asking for assistance. Note: During installation, if the option to back-up the routines was executed as directed, "Backup a Transport Global" (Step 2B.), then the routines will have the ability to be restored from the 'backup' MailMan message that was generated. However, the Kernel Installation and Distribution System (KIDS) process does NOT perform a back of the other VistA software components, such as RPCs. This process should only be done with the concurrence and participation of the development team and the appropriate VA Site/Region personnel. Routine Information: ==================== The second line of each of these routines now looks like: ;;8.0;KERNEL;**[Patch List]**;Jul 10, 1995;Build 1 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: XUESSO2 Before:B121498845 After:B121663690 **655,659,630,701,731** Routine Name: XUIAMXML Before: n/a After: B85181132 **731** Routine Name: XUSAML Before:B134942281 After:B156920962 **655,659,630,701,731** Routine list of preceding patches: 701 ============================================================================= User Information: Entered By : Date Entered : APR 23, 2020 Completed By: Date Completed: FEB 02, 2021 Released By : Date Released : FEB 02, 2021 ============================================================================= Packman Mail Message: ===================== $END TXT