Section 34.6, Line 461 in IUA.b, Rev.1.2 from September 21, 2019:
The XUA profile provides equivalent functionality for SOAP based transactions. In addition, the SAML token option in IUA enables an Identity Provider (Authorization Server) to exchange an XUA compatible SAML token for an OpenID Connect compatible token which can subsequently be used as an access token in all RESTful transactions specified in MHD, PDQm and other FHIR-based IHE profiles. The exchange of an XUA token for a JWT can take place without additional authorization, so it can be easily implemented by protocol translation gateways.
The statement is problematic in certain aspects:
The first sentence is not complete and may lead to misunderstanding.
There seems to be a confusion of the terms Identity Provider and Authorization Server. As far as I understand there is no relation between authentication and the IAU SAML option for the authorization.
I don't see how the IUA profile supports to exchange an OpenID Connect compatible token to an XUA compatible SAML token.
Section 34.6, Line 461 in IUA.b, Rev.1.2 from September 21, 2019: The XUA profile provides equivalent functionality for SOAP based transactions. In addition, the SAML token option in IUA enables an Identity Provider (Authorization Server) to exchange an XUA compatible SAML token for an OpenID Connect compatible token which can subsequently be used as an access token in all RESTful transactions specified in MHD, PDQm and other FHIR-based IHE profiles. The exchange of an XUA token for a JWT can take place without additional authorization, so it can be easily implemented by protocol translation gateways.
The statement is problematic in certain aspects: