NIEF TPAT | TD: SAML SP Requirements - Basic

SAML SP Requirements - Basic, v1.0

The requirements for achieving basic SAML interoperability when implementing a Service Provider.

Assessment Steps (9)

1 Support for SAML 2.0 Web Browser SSO Profile (SupportforSAML20WebBrowserSSOProfile) Does the system support SAML 2.0? Artifact Sample SAML Authentication Request Provide a sample SAML Authentication request as XML/Text.
2 Support for Redirect Binding (SupportforRedirectBinding) When generating SAML Authentication Requests, does the system use the SAML Redirect Binding? Artifact Header Trace Showing Redirect Binding Usage Provide a header trace with the full URL accessed on the test Identity Provider. Using a header tracing tool such as the Chrome Developer Tools will make this an easy copy/paste operation.
3 Valid Issuer within SAML AuthnRequest (ValidIssuerwithinSAMLAuthnRequest) Does the system provide a valid Issuer element in its SAML AuthnRequests, and is that Issuer element a URL that is clearly under the control of the RP organization? Artifact Sample SAML Authentication Request Provide a sample SAML AuthnRequest artifact generated by the system. Note that an AuthnRequest artifact is required evidence for several other assessment steps regarding AuthnRequests. The artifact provided for this assessment step can be reused for those other steps if appropriate.
4 Valid NameIDPolicy (ValidNameIDPolicy) Does the system specify a valid NameIDPolicy (transient or persistent) within the AuthnRequest? Artifact Sample SAML Authentication Request Provide a sample SAML AuthnRequest artifact generated by the system. Note that an AuthnRequest artifact is required evidence for several other assessment steps regarding AuthnRequests. The artifact provided for this assessment step can be reused for those other steps if appropriate.
5 AuthnRequest Exclusions (AuthnRequestExclusions) Does every AuthnRequest generated by the system NOT include a Subject, Scoping, Extensions, or Conditions? Artifact Sample SAML Authentication Request Provide a sample SAML AuthnRequest artifact generated by the system. Note that an AuthnRequest artifact is required evidence for several other assessment steps regarding AuthnRequests. The artifact provided for this assessment step can be reused for those other steps if appropriate.
6 Protocol Binding Support (ProtocolBindingSupport) Does the AuthnRequest generated by the system include a ProtocolBinding of urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST? Artifact Sample SAML Authentication Request Provide a sample SAML AuthnRequest artifact generated by the system. Note that an AuthnRequest artifact is required evidence for several other assessment steps regarding AuthnRequests. The artifact provided for this assessment step can be reused for those other steps if appropriate.
7 Acceptance of Post Binding Responses (AcceptanceofPostBindingResponses) Does the system accept SAML Responses via the POST binding?. Artifacts Header Trace Provide a header trace showing the system receiving and accepting a SAML Response at its Assertion Consumer Service URL via POST. SAML Response Include a SAML Response received by the system in XML/Text format.
8 XML Encryption Support (XMLEncryptionSupport) Does the system accept SAML Responses with encrypted SAML Assertions? Artifact SAML Response Provide a sample SAML Response that is encrypted and that was accepted by the system.
9 Digital Signature Validation (DigitalSignatureValidation) Does the system validate the signature on a SAML Assertion and verify that the signature was made by a trusted partner system? This test requires verification of three different responses: one SAML Assertion that is correctly signed with the key of a trusted partner system, one unsigned SAML Assertion, and one SAML Assertion that is correctly signed with a key that is NOT trusted. Artifact Results Provide detailed descriptions and/or screenshots to verify that the system correctly validates signatures on SAML Assertions an properly handles all three cases.

Conformance Criteria (9)

Support for SAML 2.0 Web Browser SSO Profile The system MUST use and support the SAML Web Browser Single Sign-On (SSO) Profile as defined in the SAML 2.0 Profiles specification. Citation NIEF Discussion/Review
Support for Redirect Binding The system MUST support the use of the SAML HTTP Redirect Binding for SAML SSO. Citation NIEF Discussion/Review
Valid Issuer within SAML AuthnRequest The system MUST include the Issuer element in all SAML AuthnRequests, and that Issuer MUST be a URL controlled by the RP organization. Citation NIEF Discussion/Review
Valid NameIDPolicy All AuthnRequests generated by the system MUST include a valid NameIDPolicy, and it MUST be transient or persistent. Citation NIEF Discussion/Review
AuthnRequest Exclusions All AuthnRequests generated by the system MUST NOT contain any of the following: Subject, Scoping, Extensions, or Conditions. Citation NIEF Discussion/Review
Protocol Binding Support If AuthnRequests generated by the system include a ProtocolBinding, then it MUST be set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. Citation NIEF Discussion/Review
Acceptance of Post Binding Responses The system MUST accept SAML Responses via the SAML POST binding. Citation NIEF Discussion/Review
XML Encryption Support The system MUST accept SAML Assertions that have been encrypted. Citation NIEF Discussion/Review
Digital Signature Validation The system MUST validate the digital signature on every SAML Assertion that it receives, and MUST verify that the Identity Provider (IDP) system's signing key is trusted. Citation NIEF Discussion/Review

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://trustmark.nief.org/tpat/tds/icam-saml-sp-basic/1.0/

Publication Date

2021-06-25

Issuing Organization

NIEF (https://nief.org/) View Contact

NIEF Support

help@nief.org

No telephone

No Mailing Address

Keywords

NIEF, Federated ICAM, Security Assertion Markup Language, SAML, Service Provider, SP, Relying Party, RP, Single Sign-On, SSO

Issuance Criteria

yes(all)

Legal Notice

This artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (1)

NIEF	NIEF Technical Guidance

Terms (6)

Term Name	Abbreviations	Definition
Federated Identity, Credential, and Access Management	Federated ICAM	Refers to a comprehensive approach for dealing with digital identities (and associated attributes), credentials, and access control within a federated environment (across jurisdictional boundaries).
National Identity Exchange Federation	NIEF	National law enforcement and public safety information sharing trust framework.
Relying Party	RP	Alternate term for a service provider.
Security Assertion Markup Language	SAML	A set of eXtensible Markup Language (XML) data structures and messaging protocols designed to enable single sign-on between system entities.
Service Provider	SP	A system that provides a user with some service capability, requently within Federated ICAM implementations. A service provider is the Federated ICAM counterpart to an identity provider.
Single Sign-On	SSO	A capability that enables a user to authenticate themselves to a single system and reuse the results of that authentication process at multiple partner systems that trust the authenticating system.

Also available as XML or JSON