7. Summary of Compliance Requirements from Part I
Table 5 summarises the compliance requirements from Part I of this Standard in the order that they appear. See the applicable subsection to read the context and detail surrounding these compliance requirements.
Table 5 – Summary of Part 1 compliance requirements
|
Subsection no. |
Compliance Requirement |
Summary comment |
|
4.4 |
MUST |
Agencies deviating from a ‘SHOULD’ in their practices, to document a set of prescribed statements. |
|
4.5.2 |
MUST |
Vendor and bespoke product conformance with OASIS SAML v2.0. |
|
4.5.2 |
MUST |
Vendor and bespoke application conformance with the GLS Messaging Test Site (where applicable). |
|
4.5.2 |
MUST |
Vendor application extended functionality requiring certification stamp from the Liberty Alliance Project. |
|
5.2 |
SHOULD |
Indicating future designs of online authentication to follow the generic usage pattern outlined in 5.2. |
|
6.2.4 |
MUST |
Use of the Artifact Resolution Profile where messages exchanged via a “back-channel” with the exception of when the NameID Mapping Profile is used. |
|
6.3.2 |
MUST NOT |
With reference to the HTTP Redirect Binding not to be used for a SAML Response. |
|
6.3.2 |
MAY |
With reference to the HTTP Redirect or POST binding for the conveyance of the SAML v2.0 message containing the artifact for subsequent dereference. |
|
6.3.2 |
MUST |
With reference to vendor applications supporting all of HTTP Redirect, POST and Artifact bindings. |
|
6.3.5 |
MUST |
With reference to the use of appropriately secured SS/TLS for all browser-to-server message exchanges. |
|
6.3.5 |
MAY |
Refers to the optional encryption of the following SAML v2.0 elements: <Assertion>, <NameID>, <EncryptedID>. |
|
6.4.1 |
MAY |
Refers to the optional encryption of the following SAML v2.0 elements: <NameID>, <EncryptedID>. Table 3 |
|
6.4.1 |
MUST |
Refers to the use of appropriately secured SSL/TLS for browser-to-server message exchanges. |
|
6.4.1 |
MUST |
Refers to the digital signing of Assertion elements. |
|
6.4.1 |
SHOULD |
Refers to the use of SSO Binding Set 1 for Nil/Negligible or Low SRC. |
|
6.4.1 |
MAY |
As above without encrypting assertions or assertion elements if agreed by the exchanging parties. |
|
6.4.1 |
MAY |
Refers to the use of SSO Binding Set 1 for services that have a Moderate SRC. |
|
6.4.1 |
MUST |
As above but refers to the mandatory use of encryption. |
|
6.4.1 |
MUST NOT |
Refers to the use of SSO Binding Set 1 for services that have a high SRC. |
|
6.4.2 |
MAY |
Refers to the optional encryption of the following SAML v2.0 elements: <NameID>, <EncryptedID>. |
|
6.4.2 |
MAY |
Refers to the use of SSO Binding Set 2 for Nil/Negligible or Low SRC. |
|
6.4.2 |
MUST |
Refers to the use of SSO Binding Set 2 for services that have a High SRC. |
|
6.4.3 |
SHOULD |
Refers to the returning of a response to any SAML message received. |
|
6.4.3 |
MUST |
Refers to messages requiring encryption to be encrypted with the sender’s public key. |
|
6.4.3 |
MUST NOT |
Refers to the processing of a SAML message if the current time does not meet the conditions. |