Skip to content.
|Networking government in New Zealand.
Archive

Archived articles:

See archives for this section
 

2. Scope

[ Table of Contents ]

NZ SAMS prescribes messaging standards and rules for a particular deployment scenario derived from the OASIS SAML v2.0 Standard for communicating a range of security assertions (authentication, identity attributes and authorisation) in New Zealand government online implementations.

2.1 Legislative Obligations Remain

Agencies are reminded that adopting NZ SAMS does not relieve them of obligations under the Privacy Act 1993 and other privacy legislation, or responsibility for continuity planning and management of the risks associated with liability and trusted relationships. All information collected and stored by a NZ government agency is deemed to be official information, and must be protected by strict adherence to promulgated policy statements such as Security in the Government Sector [SIGS] and the Protective Security Manual [PSM]. Agencies must undertake a risk assessment for those risks associated with the delivery of their services through an interactive online channel. Agencies should follow the Australian and New Zealand Standard [S4360Risk] on risk management for their authentication systems. Further advice on the application of [S4360Risk] is set out in [HB436Risk] and [HB231Risk]. Agencies also need to ensure there is adequate business continuity planning for their online services. Many authentication risks may be addressed by ensuring that the authentication system is properly protected. The NZ e-GIF authentication standards do not give general advice for securing authentication systems. Agencies should comply with [SIGS], [NZSIT402], [S17799Code] and [S27001Reqs].

2.2 In Scope

This Standard applies only to information conveyed in an assertion or similar security message enabling the acts of authentication, authorisation or identity verification in the exchange of 'policy and privacy' information; that is, information classified as either UNCLASSIFIED, IN-CONFIDENCE, or SENSITIVE as per the Government's security policy statements.

The scope of this Standard is:

  • any New Zealand government shared or joined-up browser-based service delivered online, including but not limited to the all-of-government authentication services – the GLS and the proposed IVS.

It applies to

  • the format and content of messages conveyed in the acts of authentication, authorisation, identity verification and identity federation (it does not extend to the classification of the information subsequently conveyed in a message enabled by those acts)

where

  • the entities to be authenticated, authorised or identity verified are personal entities. (While not precluding its use in a non-personal context, such as a 'machine' entity or corporate body, the scope of the Standard does not encompass such usage patterns.)

2.3 Out of Scope

The following are outside the scope of this Standard:

  • service user identity attributes (refer to the Data Formats for Identity Records Standard)
  • service user authorisation
  • Public Key Infrastructure (PKI) implementation
  • Web Services implementation (proposed for a future Secure Web Services Standard)
  • application to authentication acts involving non-personal entities.

Operating rules and provision of detailed implementation guidance is not within the scope of this Standard. Outline deployment alignment is provided in selected sections and will be merged into a companion Implementation Guide based on a proposed SAML v2.0 Implementation Guide and early implementation experience.

2.4 Rationale for Scope

In this first release this Standard profiles the New Zealand government agency deployment of OASIS SAML v2.0. It is:

  • restricted to proof-of-service user authentication securely conveyed from an authenticating agency to a service agency, thereby providing an all-of-government approach to online authentication – with authentication key/identity provider (IdP) websites providing a logon service for participating service agency/provider (SP) web sites
  • based on usage patterns derived from proposed implementations within the New Zealand government
  • applicable to web browsers only and excludes access by other HTTP-enabled user devices
  • focused on authentication assertions prioritised over those of identity and authorisation.

[ Previous | Contents | Next ]