Skip to content.
|Networking government in New Zealand.
Archive

Archived articles:

See archives for this section
 
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » New Zealand Security Assertion Messaging Standard » 10. NZ SAMS Constraints on the OASIS SAML v2.0 Web Browser SSO Profile

10. NZ SAMS Constraints on the OASIS SAML v2.0 Web Browser SSO Profile

[ Table of Contents ]

Specification Name: Profiles for the OASIS SAML V2.0

SAML Specification Reference : Saml-profiles-2.0-os

This html page contains lines 355-662 from the PDF version of NZ SAMS v1.0

The SAML v2.0 Profiles Specification defines the use of SAML assertions and request-response messages as well as the naming conventions.

Not all of the SAML v2.0 Profiles have been prescribed for NZ SAMS - only those that have been identified from agency use cases. More profiles may be added in future releases of NZ SAMS.

Web Browser SSO profiles can also be used for non-SSO implementations such as the All-of-government Authentication Programme's GLS.

The following table, Table 8, describes the selected requirements from the OASIS SAML v2.0 web browser SSO profile for NZ SAMS.

End of line 362

Table 8 - NZ SAMS constraints on the OASIS SAML v2.0 web browser SSO profile

Section 3: Confirmation Method Identifiers

What is excluded or altered from the SAML v2.0 Profile Specification:

Subsection 3.2 Sender Vouches

Line: 354 - 358

Ignore. Sender Vouches is NOT REQUIRED for NZ SAMS. The current uses cases have no requirement for the use of Sender Vouches.

Section 4: SSO Profiles of SAML

[ Back to top of table 8 ]

What is excluded or altered from the SAML v2.0 Profile Specification:

Subsection 4.1.2 Profile Overview

[ Back to top of Section 4 ]

Subsection 4.1.2 - 2 Profile Overview - Service Provider determines Identity Provider

Line: 407 – 411

Deployment alignment:
All-of-government Authentication Programme identifiers will be known through exchange of metadata. Since, from the perspective of SAML v2.0, the use cases indicate that so far there are probably only three entities taking the role of an IdP (the GLS, the proposed IVS and the education sector’s proposed ESAA system), they will be known to each SP through the IdP’s metadata. The service user will not need to choose an IdP or use IdP discovery so the IdP selection can be done automatically without service user interaction.

Subsection 4.1.2 - 4 Profile Overview - Identity Provider identifies Principal

Line: 416 – 419

Deployment alignment:
In the All-of-government Authentication Programme, the service user is presented with a 'challenge-response' process; the GLS logon page is presented for the service user to enter his/her username and password.

Refer also to [GLSMS], for specific details on the structure and content of these messages.

End of line 381

Subsection 4.1.2 - 5 Profile Overview - Identity Provider identifies Principal

Line: 420 – 425

See section 6 of this Standard to determine which binding is most applicable for the security of the message being transported.

Deployment alignment:
Refer also to [GLSMS] for specific details on the structure and content of these messages.

Subsection 4.1.2 - 6 Profile Overview - Identity Provider identifies Principal

Line: 426 – 429

Deployment alignment:
Refer also to [GLSMS] for specific details on the structure and content of these messages.

Line: 430 – 431

This technical approach SHOULD NOT be used. The agreed usage pattern is SP initiated, not IdP initiated.

Subsection 4.1.3 Profile Description

[ Back to top of Section 4 ]

Subsection 4.1.3.1 Profile Description - HTTP Request to Service Provider

Line: 445

The RelayState mechanism MAY be used.

Deployment alignment:
The SPs MAY use the RelayState mechanism and it is expected to be supported by the All-of-government Authentication Programme. The decision to use the <RelayState> element depends on whether the SP needs to maintain some (session) state across the SP to IdP interaction. SAML v2.0 just declares that if the SP needs to use it, the IdP MUST return it back to them. The IdP does not ever look at its contents or try to interpret them in any way. In some applications, the information carried in the <RelayState> element could also be used to further associate information that the SP had placed in a session cookie in the service user's browser.

Subsection 4.1.3.2 Profile Description - Service Provider Determines Identity Provider

Line: 448 – 454

In the initial release of this Standard, this step is implemented by always selecting the GLS as per the entries above related to section 4.1.2 - 2.

Subsection 4.1.3.3 Profile Description - Service Provider Determines Identity Provider

Line: 458

The SAML v2.0 Metadata Specification MUST be used to comply with NZ SAMS.

Line: 468

See section 6 of this Standard to determine which binding and security option is most applicable for the security of the message being transported.

End of line 404

Subsection 4.1.3.4 Profile Description - Identity Provider Identifies Principal

Line: 475 – 482

The ForceAuthn attribute in an <AuthnRequest> message MAY be specified as a mechanism for the SP to require the IdP to force the service user to log in, regardless of the session state.

Deployment alignment:
It is RECOMMENDED that ForceAuthn be mandatory in product selection. Do note that current SAML v2.0 certification does not test ForceAuthn. ForceAuthn SHOULD only be specified with 'XML True' (i.e. true or 1) and should only be enforced when business rules mandate re-authentication. I.e. some SPs may want to ensure the service user authentication is 'fresh' (has occurred recently), or there may also be situations where SAML applications want the service user to log in again before performing higher risk transactions. Omission of ForceAuthn SHOULD be used to indicate 'false'.

Subsection 4.1.3.5 Identity Provider issues <Response> to Service Provider

Line: 484

The IdP SHOULD produce an HTTP <Response> to the browser.

Deployment alignment:
The reason why this element is not mandated is that if an error occurs at an underlying protocol level, then the responder will not have the context for building an appropriate <Response> message, i.e. it will not be possible to send a <Response> message. At this level, if an error occurs within the SAML processing engine, then a SAML Response should be returned with an appropriate SAML status code. In all other circumstances, except in the instance of an error in an underlying protocol, or extraneous circumstances rendering it impossible to produce an HTTP <Response> (e.g. if a browser session is cancelled), an HTTP <Response> must be produced. In the event of a failure the SP will need to process an error (or similar) message in order to remain compliant with [GLSMS] and retain integrity in the New Zealand Government authentication systems. See NZ SAMS, Table 9 for more information on error handling.

End of line 428

Clarification on how the IdP identifies itself to SP with the HTTP Artifact binding:

When the IdP redirects the browser back to the SP's AssertionConsumerServiceURL (in an SSO use case) with the artifact representing the desired <Response> message, the IdP's EntityID is not directly included in the URL parameters. There is a '?SAMLart=xxxx' parameter that passes the artifact (and if the SP had sent a RelayState parameter in the initial transfer to the IdP, then the 'RelayState=xxx' parameter would be returned intact).

Once the artifact is received at the SP, it parses the artifact to extract the <SourceID>. The SP consults all known IdPs in its metadata store to locate the IdP whose SHA1(EntityID) == SourceID-from-artifact. This tells the SP which IdP to now send an <ArtifactResolve> SOAP message to in order to retrieve the SAML message associated with the artifact. In SAML v2.0, the <SourceID> is a SHA-1 hash of the IdP's entity ID, which is how the SP knows which IdP to contact.

The salient point is that if you do not already know the list of possible entity IDs, then you have no way to extract the EntityID from the <SourceID>.

Line: 495

Deployment alignment:
During SAML v2.0 interoperability testing in 2005, it was RECOMMENDED that vendors specify the AssertionConsumerServiceIndex attribute in the <AuthnRequest> message. Alternatively, the SAML binding used could be retrieved from the metadata and thus preconfigured. One option MUST be used in order to remain compliant with the [GLSMS].

End of line 449

Line: 497 – 500

RECOMMENDED in line 497 becomes REQUIRED for NZ SAMS compliance.

Subsection 4.1.3.6 Service Provider grants or denies access to user agent

Line: 503 – 508

SPs MUST specify HTTPS over SSL v3.0 or TLS v1.0 to establish a security context with the user agent (web browser).

Subsection 4.1.4: Use of the Authentication Request Protocol

[ Back to top of Section 4 ]

Subsection 4.1.4.1 <AuthnRequest> Usage

Line: 515

Note the mandatory requirement for the <Issuer> element.

The following content from the <AuthnRequest> message from [SAMLCore] section 3.4.1, SHOULD be specified for NZ SAMS compliance:

  • NameIDPolicy – in addition it is RECOMMENDED that AllowCreate is always provided and set to ‘XML True’
  • AssertionConsumerServiceIndex (rather than the alternative)
  • AssertionConsumerServiceURL and ProtocolBinding pair).

The following elements and attributes MAY be specified for NZ SAMS compliance dependent on specific use cases:

  • <Scoping> (in use cases implementing IdP Proxy)
  • <RequestedAuthnContext>
  • isPassive
  • ForceAuthn

Deployment alignment:
<RequestedAuthnContext> is used for conveying the required method of authentication to an authentication provider i.e. GLS. The default for the authentication context is 'basic'. Further details on NZ government authentication contexts can be obtained in [GLSMS].

End of line 470

The following attributes and elements MAY be specified for NZ SAMS compliance:

  • AssertionConsumerServiceURL - If AssertionConsumerServiceURL is specified, it MUST be validated to match AssertionConsumerServiceURL indicated in the SP metadata. This additional processing tends to mean that it is better to use AssertionConsumerServiceIndex instead, see below subsection 4.1.3.5, line 495.
  • ProtocolBinding.
  • <ProviderName> - Note that the usage of the <Organisation> element as an alternative to <ProviderName> for supporting branding is under submission to OASIS SSTC, as of March 2008.

The following elements and attributes MUST NOT be specified for NZ SAMS compliance since no use cases have been proposed to include them:

  • <Subject>
  • <Conditions>

Deployment alignment:
ForceAuthn can be utilised when the service agency requires knowledge of a successful authentication within a reasonable time period. See deployment advice located in the entry related to 4.1.3.4 above.

<ProviderName> can be used to communicate branding information in selected cases across igovt. An example of potential usage for <ProviderName> is when the IVS is communicating with the GLS on behalf of the service agency and the service agency identifier is needed to identify and control desired behaviour, i.e. the service agency brand needs to be displayed on IVS and GLS generated pages.

ProtocolBinding is a mechanism of communication between the SP and IdP (i.e. POST or Artifact). It is required when a SAML implementation uses AttributeConsumerServiceURL instead of the RECOMMENDED AttributeConsumerServiceIndex in the metadata. This attribute in the <AuthnRequest> allows service providers to determine the binding i.e. POST may be used for low risk services (or in circumstances where replay attacks are prevented) and Artifact for high risk services.

End of line 500

Line: 525

<Subject> MUST NOT be specified in an <AuthnRequest> for NZ SAMS compliance.

Subsection 4.1.4.2 <Response> Usage

Line: 541

<Issuer> MUST be specified for NZ SAMS compliance.

Line: 557

The Address attribute MAY be specified for NZ SAMS compliance.

The NotOnOrAfter attribute MUST be specified for NZ SAMS compliance.

Deployment alignment:
NotOnOrAfter refers to an acceptable time limit for using the assertion to authenticate the service user. The NotOnOrAfter attribute of the <SubjectConfirmationData> element has to be constrained to the lifetime of the assertion (which itself is constrained by the NotOnOrAfter attribute of the <Assertion> element). The NotOnOrAfter attributes only deal with when the SP can initially create the session for the service user.

NOTE – This is NOT related to the SessionNotOnOrAfter attribute in an <AuthnStatement> discussed in [SAMLProf], and below in the entry related to line 589, and elsewhere and which MUST NOT be specified.

SessionNotOnOrAfter is used to establish a limit on the duration of a service user's session at the SP – that if the SP uses the assertion to create a session for the service user, then it must end the session at the indicated time.

Line: 561 – 565

The <AttributeStatement> elements and attributes SHOULD be used in the assertion of the response for NZ SAMS compliance.

Deployment alignment:
It is anticipated in most cases that attributes will get returned in the <Response> (which contains the <AttributeStatement>). It is still possible to obtain further attribute information using an <AttributeQuery>. But the <AttributeQuery> MUST NOT be used when user consent is required. The proposed IVS will utilise the <AttributeStatement>. This requirement is driven by the 'Assert Identity' use case (see Appendix A for further details) which mandates user consent of attribute release.

End of line 533

Subsection 4.1.4.3 <Response> Message Processing Rules

Line: 581 – 582

Deployment alignment:
The processing rules here say that for solicited responses, the InResponseTo value MUST match the ID of the corresponding <AuthnRequest> message. This is a security check important to SAML since it deals with compromise of the SSO exchange between systems and MUST not be ignored for NZ SAMS compliance.

Ignore reference to unsolicited responses in this release of NZ SAMS. To date, no use case has indicated a need for an unsolicited response.

Line: 586

While invalid assertions 'SHOULD' be discarded as per the Specification, recording of the event SHOULD take place for audit and reporting purposes for NZ SAMS compliance.

Line: 589

The SessionNotOnOrAfter attribute MUST NOT be specified for NZ SAMS compliance.

SessionNotOnOrAfter is used to establish a limit on the duration of a service user's session at the SP – that if the SP uses the assertion to create a session for the service user, then it must end the session at the indicated time). See the entry above related to line 557.

Deployment alignment:
Many products use SAML v2.0 Web SSO to establish a local security session that is controlled by another product, e.g. Web Access Management vendor products. While many of these products have local session time-out features, they typically do not have a means to say that the session must end at a specific time independent of time-outs.

Subsection 4.1.4.4 Artifact-Specific <Response> Message Processing Rules

Line: 593 – 594

See NZ SAMS, Table 6 for further information on conditions requiring encryption and/or digital signatures.

End of line 555

Subsection 4.1.4.5 POST-specific Processing Rules

Line: 602 – 604

The NotOnOrAfter attribute MUST be respected. Time length for the validity of the ID values is subject to agency data exchange agreements and/or the [GLSMS]. The requirement is to retain integrity in the authentication systems operated by New Zealand government agencies.

Subsection 4.1.5 Unsolicited Responses

Line: 614 – 616

This MUST be the URL of a resource at the service provider. The service provider MUST be prepared to handle unsolicited responses by designating a default location to send the user agent subsequent to processing a response successfully.

Deployment alignment:
Unsolicited responses MAY be required when an identity provider is acting as an asserting portal, i.e. a user agent accesses the GLS to logon and utilises a link to gain access to a configured service provider. The user agent will be transported to the service provider.

Subsection 4.1.6 Use of Metadata

Line: 617 – 650

Metadata is REQUIRED for NZ SAMS compliance. See Table 7, NZ SAMS constraints on OASIS SAML v2.0 metadata, (entries related to subsections 2.4.2 - 4).

Line: 568 – 572

Deployment alignment:
Other conditions (and other <Audience> elements) MAY be used by an IdP for NZ SAMS compliance and if present, they MUST be processed in accordance with the SAML v2.0 Specifications. However, since the <Conditions> element is not permitted by NZ SAMS, it is unlikely that other <Audience> elements will be supplied to the IdP. See subsection 4.1.4.1.

Section 4.4: Single Logout Profile

[ Back to top of Section 4 ]

Subsection 4.4.3.1 <LogoutRequest> issued by Session Participant to Identity Provider

Line: 1211 – 13

Deployment alignment:
While asynchronous bindings SHOULD be specified (to support the use cases and the SAML v2.0 Specifications' preference to use an asynchronous binding of some type as opposed to a synchronous binding for logout), implementers still might need the synchronous binding to do an administrator-initiated logout of a service user session, for example. (i.e. the service user browser session may be active at a different site at the time of the logout request).

Line: 1222

'RECOMMENDED' in this sentence becomes REQUIRED for message integrity and security.

Line: 1227

See line 445 above regarding the <RelayState> element.

Subsection 4.4.3.4 Session Participant/Authority Issues <LogoutResponse> to Identity Provider

Line: 1270, 1289

'MAY' in this subsection is subject to data exchange agreements concluded between exchanging parties.

End of line 579

Line: 1275

'RECOMMENDED' in this sentence becomes REQUIRED for NZ SAMS compliance to achieve message integrity and security.

Subsection 4.4.4 Use of the Single Logout Protocol

Line: 1303

Deployment alignment:
The MAY in this subsection indicates that the service user might have requested a global logout as opposed to logging out a single session.

Section 5: Artifact Resolution Profile

[ Back to top of table 8 ]

What is excluded or altered from the SAML v2.0 Profile Specification:

Subsection 5.3.1 <ArtifactResolve> issued by Requesting Entity

Line: 1468

[SAMLMeta] MUST be specified for NZ SAMS compliance to locate the artifact issuer.

Line: 1471

'SHOULD' in this sentence becomes MUST for audit and reporting purposes for NZ SAMS compliance.

Subsection 5.4.1 <ArtifactResolve> Usage

Line: 1491 – 3

Deployment alignment:
See section 6.3.4 of NZ SAMS, 'Encryption and Digital Signature Considerations', for guidance on when signing of messages going over the SOAP channel is necessary.

Subsection 5.4.2 <ArtifactResponse> Usage

Line: 1498 – 9

Deployment alignment:
See section 6.3.4 of NZ SAMS, 'Encryption and Digital Signature Considerations', for guidance on when signing of messages going over the SOAP channel is necessary.

End of line 593

Section 6: Assertion Query/Request Profile

[ Back to top of table 8 ]

What is excluded or altered from the SAML v2.0 Profile Specification:

Subsection 6.2 Profile Overview

Line: 1522 – 24

An <AttributeQuery> MAY be used where the service user needs to authenticate to two entities (one in the role of an IdP and one in the role of an attribute authority), and the SP in one single session.

<AssertionIDRequest>, <SubjectQuery>, <AuthnQuery> and <AuthzDecisionQuery> are out of scope for this version of NZ SAMS.

Authorisation is out of scope for the first release of NZ SAMS.

Deployment alignment:
When using an attribute authority with the Name Identifier Mapping profile the following guidance should be considered. See 'Figure 5 – SP initiated with Name Identifier Mapping profile', for reference.

(a) The attribute authority is not discovered by the originating service provider and needs to be manually configured.

(b) The pattern of using a <NameIDRequest> followed by <AttributeQuery> is SAML legal, but is not explicitly part of any specification. Thus it is not an official profile. So it is likely that product support is only available at the API level and some additional customisation or programming is required.

(c) The <AttributeQuery> approach does not allow the attribute authority to interactively query for user consent.

(d) Consideration will need to be given for how the <AttributeQuery> is authorised, i.e. by an entity-to-entity authentication/authorisation scheme like client TLS or HTTP-Basic. The originating service provider (SP2) is in possession of the <EncryptedNameID> from the IdP destined for the attribute authority. This leads to the assumption that the originating service provider must have legitimately obtained the <EncryptedNameID>. Do note that this assumption is quite weak and there is no proof of how the <AttributeQuery> can be utilised by the originating service provider, i.e. how many times can the <AttributeQuery> be used and at what times? As <EncryptedNameID> never expires, there is a danger of theft of the <EncryptedNameID> that has been used to communicate via another authorised service provider. Hence there is a risk of gaining access to information that was only intended for the originating service provider.

End of line 624

Subsection 6.3.1 Query/Request issued by SAML Requester

Line: 1536

For NZ SAMS compliance, [SAMLMeta] MUST be used to locate the authority’s service endpoint for the query/request.

Line: 1539 – 40, 1548

Deployment alignment:
For NZ SAMS compliance 'SHOULD' in this sentence becomes MUST in that the requester MUST authenticate itself to the identity provider. To achieve this either messages MAY be signed or other processes are used for audit and reporting purposes. See NZ SAMS sections 5.6, 'Overarching business and design rules for NZ SAMS' and 6.3.4, 'Encryption and digital signature considerations'.

Subsection 6.4.1 Query/Request Usage

Subsection 6.4.2 <Response> Usage

Line: 1554 – 5, 1561 – 2

Deployment alignment:
For NZ SAMS compliance 'SHOULD' in this sentence becomes MUST in that the requester MUST authenticate itself to the identity provider. To achieve this either messages MAY be signed or other processes are used for audit and reporting purposes. See NZ SAMS sections 5.6 'Overarching business and design rules for NZ SAMS' and 6.3.4 'Encryption and digital signature considerations'.

Subsection 6.5 Use of Metadata

Line: 1567 – 74

Deployment alignment:
Metadata MUST be used and confirmed between the exchanging parties prior to implementation.

Section 7: Name Identifier Mapping Profile

[ Back to top of table 8 ]

What is excluded or altered from the SAML v2.0 Profile Specification:

Line: 1575 – 79

NZ SAMS specifies the use of only the <AttributeQuery> message since that is the only feature required by the use case 'SP initiated with Name Identifier Mapping profile', where one SP acts as an attribute authority for another SP based on a previously successful authentication with a service user.

Subsection 7.3.1 <NameIDMappingRequest> issued by Requesting Entity

Line: 1605

[SAMLMeta] MUST be used to comply with NZ SAMS. See NZ SAMS, Table 7.

Subsection 7.4.2 <NameIDMappingResponse> Usage

Line: 1633

Deployment alignment:
Encryption MUST be used to comply with NZ SAMS, to protect the privacy of the principal. Note that because the name identifier must be encrypted, the <NameIDPolicy> element in the <NameIDMappingRequest> MUST indicate a <NameID> format of urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted. SAML cannot indicate both that the identifier must be encrypted AND that once decrypted, the <NameID> has a particular format (e.g. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). Thus, the request should indicate that an encrypted identifier is desired and the decrypted identifier format must be agreed to out of band. In NZ SAMS, the decrypted identifier is a federated identifier and thus the agreement is to use urn:oasis:names:tc:SAML:2.0:nameid-format:persistent for the decrypted identifiers. Refer to additional information on this issue in the SAML v2.0 Errata document.

End of line 656

Line: 1636 – 42

Ignore this subsection.

Deployment alignment:
The NZ SAMS uses the approach of obtaining the encrypted identifier as a simple <NameID> because it is much simpler to implement. The approach of applying additional limits as shown in this subsection requires that the encrypted identifier must actually be a full SAML assertion with a <Subject>, but no statements. There are no known vendor products supporting this.

This html page contains lines 355-662 from the PDF version of NZ SAMS v1.0


[ Previous | Contents | Next ]