NIEF TPAT | TD: SAML IDP Requirements - Basic

SAML IDP Requirements - Basic, v1.0

The requirements for achieving basic SAML interoperability when implementing an Identity Provider.

Assessment Steps (15)

1 System Uses and Supports SAML 2.0 (SystemUsesandSupportsSAML20) Does the system support the SAML 2.0 Web Browser SSO Profile? Artifact Sample SAML Response Provide a full sample SAML Response generated by the system as XML/text.
2 Redirect Binding Support (RedirectBindingSupport) Does the system support the Redirect Binding for SP Initiated SAML SSO? Artifact Header Trace Showing Redirect Binding Usage Provide a header trace with the full URL accessed on the system. Using a header tracing tool such as the Chrome Developer Tools makes this an easy copy/paste operation.
3 Signature Verification on AuthnRequest (SignatureVerificationonAuthnRequest) Does the system verify the signature on a SAML AuthnRequest when it is signed? To perform this test, initiate SAML SSO from the test SP at least twice: once signing with the key that was pre-established as trusted, and a second time with an untrusted key to verify that an error condition occurs. Artifact Digital Signature Failure Error Provide a screen shot or logging details of the error(s) generated when an untrusted signature was sent to the system.
4 NameID Policy Support (NameIDPolicySupport) Does the system honor the NameID Policy as requested by a SAML SP? Verify that both persistent and transient can be requested and supported. Artifacts Sample SAML Assertion - Persistent Provide in XML a copy of a SAML Assertion in which a persistent name identifier is used. Sample SAML Assertion - Transient Provide in XML a copy of a SAML Assertion in which a transient name identifier is used.
5 ForceAuthn Support (ForceAuthnSupport) Does the system honor the ForceAuthn flag within AuthnRequests? To perform this test, initiate SAML SSO to the system three times: Initiate SAML SSO and establish a session with the system. Without ForceAuthn enabled, initiate SAML SSO again and verify that reauthentication IS NOT required. With ForceAuthn enabled, initiate SAML SSO again and verify that reauthentication IS required. Artifact Test Results Document the results of the three SAML SSO tests prescribed.
6 isPassive Support (isPassiveSupport) Does the system properly honor the isPassive flag within AuthnRequests? To perform this test, initiate SAML SSO to the system three separate times as follows: With no prior session having been established, initiate SAML SSO with the isPassive flag and verify that an error occurs. Initiate SAML SSO and establish a session via normal mechanisms. With isPassive enabled, initiate SAML SSO again and verify that reauthentication is NOT required to complete the sign-on. Artifact Test Results Document the results of the three SAML SSO tests prescribed.
7 Use of Proper Assertion Consumer Service URL (UseofProperAssertionConsumerServiceURL) Does the system use the ACS URL established during trust establishment (i.e., the ACS URL from SAML 2 Metadata) and NOT the ACS URL transmitted within a SAML AuthnRequest? To test this, change the configuration of the test SP to temporarily use a different ACS URL and make sure that the system produces an error. Artifact Test Results Document the results of the ACS URL test. Include a copy of the error text or a screen shot showing the error.
8 POST Binding Support (POSTBindingSupport) Does the system transmit SAML Responses via the POST binding? Artifact Header Trace Provide a text trace of the headers for the SAML POST event using a tool such as the Chrome developer tools.
9 Proper Use of Issuer in SAML Response (ProperUseofIssuerinSAMLResponse) Does the system's SAML Response include an Issuer element that specifies the system's trusted EntityId? Artifact Sample SAML Response Provide a sample SAML Response generated by the system and showing proper use of the system's EntityID as its Issuer element.
10 Proper Use of Assertion in SAML Response (ProperUseofAssertioninSAMLResponse) Does the system's SAML Response include an Assertion or Encrypted Assertion? Artifact Sample SAML Response Provide a sample SAML Response generated by the system and including either a SAML Assertion or SAML Encrypted Assertion.
11 Proper Digital Signature of SAML Assertion (ProperDigitalSignatureofSAMLAssertion) Does the system correctly apply an XML digital signature to the SAML Assertion? Artifact Sample SAML Assertion Provide a sample SAML Assertion generated by the system, or a SAML Response that includes a SAML Assertion (NOT an Encrypted Assertion) generated by the system. The artifact provided MUST include a proper XML digital signature.
12 Proper Use of SAML AuthnStatement (ProperUseofSAMLAuthnStatement) Does the SAML Assertion include a SAML AuthnStatement? Artifact Sample SAML Assertion Provide a sample SAML Assertion generated by the system, or a SAML Response that includes a SAML Assertion (NOT an Encrypted Assertion) generated by the system. The artifact provided MUST include a valid AuthnStatement within the Assertion.
13 Valid Context Class (ValidContextClass) Does the SAML Assertion include a valid Authentication Statement including an SAML Authentication Context Class Reference? Artifact Sample SAML Assertion Provide a sample SAML Assertion generated by the system, or a SAML Response that includes a SAML Assertion (NOT an Encrypted Assertion) generated by the system. The artifact provided MUST include an AuthnStatement within the Assertion, and the AuthnStatement MUST have a valid Authentication Context Class Reference.
14 Valid Subject ID (ValidSubjectID) Does the SAML Assertion include a valid Subject in the appropriate NameIDFormat? Artifact Sample SAML Assertion Provide a sample SAML Assertion generated by the system, or a SAML Response that includes a SAML Assertion (NOT an Encrypted Assertion) generated by the system. The artifact provided MUST include a valid Subject in the appropriate NameFormat within the Assertion.
15 Valid Conditions (ValidConditions) Does the SAML Assertion include valid Conditions? This requires an appropriate Audience Restriction and validity time constraints. Artifact SAML Assertion Provide a sample SAML Assertion generated by the system, or a SAML Response that includes a SAML Assertion (NOT an Encrypted Assertion) generated by the system. The artifact provided MUST include valid Conditions within the Assertion.

Conformance Criteria (15)

Support for SAML 2.0 The system MUST use and support the SAML Web Browser Single Sign-On (SSO) Profile as defined in the SAML 2.0 Profiles specification. Citation NIEF Discussion/Review
Proper Use of Assertion in SAML Response The system MUST include a SAML Assertion in all successful SAML Responses (those not containing an error status code). This SAML Assertion SHOULD be encrypted as an EncryptedAssertion. Citation NIEF Discussion/Review
Proper Digital Signature of SAML Assertion The system MUST digitally sign every SAML Assertion that it generates. The public key used by SAML Service Providers (SPs) to verify these digital signatures MUST be published, e.g., in SAML 2 Metadata. Citation NIEF Discussion/Review
Proper Use of SAML AuthnStatement Every SAML Assertion generated by the system MUST include an AuthnStatement. Citation NIEF Discussion/Review
Valid AuthnContextClass Every AuthnStatement generated by the system MUST include a valid Authentication Context Class Reference. Citation NIEF Discussion/Review
Valid Subject ID Every SAML Assertion generated by the system MUST include a Subject with valid NameID of urn:oasis:names:tc:SAML:2.0:nameid-format:transient or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. Citation NIEF Discussion/Review
Valid Conditions Every SAML Assertion generated by the system MUST include appropriate Conditions, including an appropriate Audience Restriction and validity time constraints. Citation NIEF Discussion/Review
Redirect Binding Support The system MUST support the use of the SAML HTTP Redirect Binding for SAML SSO. Citation NIEF Discussion/Review
Signature Verification on AuthnRequest The system MUST verify the digital signature on SAML Authentication Requests when a signature is present. Citation NIEF Discussion/Review
NameID Policy Support The system MUST support urn:oasis:names:tc:SAML:2.0:nameid-format:persistent and urn:oasis:names:tc:SAML:2.0:nameid-format:transient Name ID Formats. In addition, the system MUST honor the Name ID requested within an Authentication Context. Citation NIEF Discussion/Review
ForceAuthn Support The system MUST support the ForceAuthn flag within Authentication Requests. Citation NIEF Discussion/Review
isPassive Support The system MUST support the isPassive flag within Authentication Requests. Citation NIEF Discussion/Review
Use of Proper Assertion Consumer Service URL The system MUST use the Assertion Consumer Service (ACS) URL configured during Metadata Exchange. It MUST NOT use the one specified in the AuthnRequest from the Relying Party. Citation NIEF Discussion/Review
POST Binding Support The system MUST be able to transmit SAML Responses via the SAML POST binding. Citation NIEF Discussion/Review
Proper Use of Issuer in SAML Response The system MUST populate the Issuer within its SAML Responses with its trusted EntityId. Citation NIEF Discussion/Review

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://trustmark.nief.org/tpat/tds/icam-saml-idp-basic/1.0/

Publication Date

2021-06-25

Issuing Organization

NIEF (https://nief.org/) View Contact

NIEF Support

help@nief.org

No telephone

No Mailing Address

Keywords

NIEF, Federated ICAM, Security Assertion Markup Language, SAML, Identity Provider, IDP, Single Sign-On, SSO

Issuance Criteria

yes(all)

Legal Notice

This artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (1)

NIEF	NIEF Technical Guidance

Terms (5)

Term Name	Abbreviations	Definition
Federated Identity, Credential, and Access Management	Federated ICAM	Refers to a comprehensive approach for dealing with digital identities (and associated attributes), credentials, and access control within a federated environment (across jurisdictional boundaries).
Identity Provider	IDP, IdP	A software entity that performs user authentication each time an individual presents themselves to a federated identity trust framework or issues user assertions about the individual for a given information technology session. An identity provider is the Federated ICAM counterpart to a service provider.
National Identity Exchange Federation	NIEF	National law enforcement and public safety information sharing trust framework.
Security Assertion Markup Language	SAML	A set of eXtensible Markup Language (XML) data structures and messaging protocols designed to enable single sign-on between system entities.
Single Sign-On	SSO	A capability that enables a user to authenticate themselves to a single system and reuse the results of that authentication process at multiple partner systems that trust the authenticating system.

Also available as XML or JSON