https://trustmark.nief.org/tpat/tds/icam-saml-idp-basic/1.0/SAML IDP Requirements - Basic1.0The requirements for achieving basic SAML interoperability when implementing an Identity Provider.2021-06-25T00:00:00.000Zhttps://nief.org/NIEFPRIMARYNIEF Supporthelp@nief.orghttps://nief.org/This artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.NIEFFederated ICAMSecurity Assertion Markup LanguageSAMLIdentity ProviderIDPSingle Sign-OnSSOFederated Identity, Credential, and Access ManagementFederated ICAMIdentity ProviderIDPIdPNational Identity Exchange FederationNIEFSecurity Assertion Markup LanguageSAMLSingle Sign-OnSSONIEFNIEF Technical Guidance1Support for SAML 2.0The system MUST use and support the SAML Web Browser Single Sign-On (SSO) Profile as defined in the SAML 2.0 Profiles specification.10Proper Use of Assertion in SAML ResponseThe system MUST include a SAML Assertion in all successful SAML Responses (those not containing an error status code). This SAML Assertion SHOULD be encrypted as an EncryptedAssertion.11Proper Digital Signature of SAML AssertionThe system MUST digitally sign every SAML Assertion that it generates. The public key used by SAML Service Providers (SPs) to verify these digital signatures MUST be published, e.g., in SAML 2 Metadata.12Proper Use of SAML AuthnStatementEvery SAML Assertion generated by the system MUST include an AuthnStatement.13Valid AuthnContextClassEvery AuthnStatement generated by the system MUST include a valid Authentication Context Class Reference.14Valid Subject IDEvery SAML Assertion generated by the system MUST include a Subject with valid NameID of urn:oasis:names:tc:SAML:2.0:nameid-format:transient or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.15Valid ConditionsEvery SAML Assertion generated by the system MUST include appropriate Conditions, including an appropriate Audience Restriction and validity time constraints.2Redirect Binding SupportThe system MUST support the use of the SAML HTTP Redirect Binding for SAML SSO.3Signature Verification on AuthnRequestThe system MUST verify the digital signature on SAML Authentication Requests when a signature is present.4NameID Policy SupportThe system MUST support urn:oasis:names:tc:SAML:2.0:nameid-format:persistent and urn:oasis:names:tc:SAML:2.0:nameid-format:transient Name ID Formats. In addition, the system MUST honor the Name ID requested within an Authentication Context.5ForceAuthn SupportThe system MUST support the ForceAuthn flag within Authentication Requests.6isPassive SupportThe system MUST support the isPassive flag within Authentication Requests.7Use of Proper Assertion Consumer Service URLThe system MUST use the Assertion Consumer Service (ACS) URL configured during Metadata Exchange. It MUST NOT use the one specified in the AuthnRequest from the Relying Party.8POST Binding SupportThe system MUST be able to transmit SAML Responses via the SAML POST binding.9Proper Use of Issuer in SAML ResponseThe system MUST populate the Issuer within its SAML Responses with its trusted EntityId.1System Uses and Supports SAML 2.0Does the system support the SAML 2.0 Web Browser SSO Profile?Sample SAML Response2Redirect Binding SupportDoes the system support the Redirect Binding for SP Initiated SAML SSO?Header Trace Showing Redirect Binding Usage3Signature Verification on AuthnRequestDoes the system verify the signature on a SAML AuthnRequest when it is signed? To perform this test, initiate SAML SSO from the test SP at least twice: once signing with the key that was pre-established as trusted, and a second time with an untrusted key to verify that an error condition occurs.Digital Signature Failure Error4NameID Policy SupportDoes the system honor the NameID Policy as requested by a SAML SP? Verify that both persistent and transient can be requested and supported.Sample SAML Assertion - PersistentSample SAML Assertion - Transient5ForceAuthn SupportDoes the system honor the ForceAuthn flag within AuthnRequests? To perform this test, initiate SAML SSO to the system three times:
<ol type="a">
<li>Initiate SAML SSO and establish a session with the system.</li>
<li>Without ForceAuthn enabled, initiate SAML SSO again and verify that reauthentication IS NOT required.</li>
<li>With ForceAuthn enabled, initiate SAML SSO again and verify that reauthentication IS required.</li>
</ol>Test Results6isPassive SupportDoes the system properly honor the isPassive flag within AuthnRequests? To perform this test, initiate SAML SSO to the system three separate times as follows:
<ol type="a">
<li>With no prior session having been established, initiate SAML SSO with the isPassive flag and verify that an error occurs.</li>
<li>Initiate SAML SSO and establish a session via normal mechanisms.</li>
<li>With isPassive enabled, initiate SAML SSO again and verify that reauthentication is NOT required to complete the sign-on.</li>
</ol>Test Results7Use of Proper Assertion Consumer Service URLDoes the system use the ACS URL established during trust establishment (i.e., the ACS URL from SAML 2 Metadata) and NOT the ACS URL transmitted within a SAML AuthnRequest? To test this, change the configuration of the test SP to temporarily use a different ACS URL and make sure that the system produces an error.Test Results8POST Binding SupportDoes the system transmit SAML Responses via the POST binding?Header Trace9Proper Use of Issuer in SAML ResponseDoes the system's SAML Response include an Issuer element that specifies the system's trusted EntityId?Sample SAML Response10Proper Use of Assertion in SAML ResponseDoes the system's SAML Response include an Assertion or Encrypted Assertion?Sample SAML Response11Proper Digital Signature of SAML AssertionDoes the system correctly apply an XML digital signature to the SAML Assertion?Sample SAML Assertion12Proper Use of SAML AuthnStatementDoes the SAML Assertion include a SAML AuthnStatement?Sample SAML Assertion13Valid Context ClassDoes the SAML Assertion include a valid Authentication Statement including an SAML Authentication Context Class Reference?Sample SAML Assertion14Valid Subject IDDoes the SAML Assertion include a valid Subject in the appropriate NameIDFormat?Sample SAML Assertion15Valid ConditionsDoes the SAML Assertion include valid Conditions? This requires an appropriate Audience Restriction and validity time constraints.SAML Assertion