Skip to content.
|Networking government in New Zealand.
Archive

Archived articles:

See archives for this section
 
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » New Zealand Security Assertion Messaging Standard » 7. Summary of Compliance Requirements from Part I

7. Summary of Compliance Requirements from Part I

[ Table of Contents ]

Table 5 summarises the compliance requirements from Part I of this Standard in the order that they appear. See the applicable subsection to read the context and detail surrounding these compliance requirements.

Table 5 – Summary of Part 1 compliance requirements

Subsection

Compliance Requirement

Summary comment

4.4

MUST

Agencies deviating from a 'SHOULD' in their practices, to document a set of prescribed statements.

4.5.2

MUST

Vendor and bespoke product conformance with OASIS SAML v2.0.

4.5.2

MUST

Vendor and bespoke application conformance with the GLS Messaging Test Site (where applicable).

4.5.2

SHOULD

Vendor application extended functionality requiring certification stamp from the Liberty Alliance Project.

5.2

SHOULD

Indicating future designs of online authentication to follow the generic usage pattern outlined in 5.2.

6.2.4

MUST

Use of the Artifact Resolution Profile where messages exchanged via a 'back-channel' with the exception of when the Name Identifier Mapping Profile is used.

6.3.2

MAY

With reference to the HTTP Redirect binding for the conveyance of the SAML v2.0 message containing the artifact for subsequent dereference.

6.3.2

MUST

With reference to vendor applications supporting all of HTTP Redirect, POST and Artifact bindings for the appropriate message as outlined in [SAMLConf].

6.3.4

MUST

With reference to the use of appropriately secured SSL/TLS for all browser-to-server message exchanges.

6.3.4

MAY

Refers to the original encryption of the following SAML v2.0 elements:

<EncryptedID>, <EncryptedAttribute>, <EncryptedAssertion>

6.4.1

MAY

Refers to the optional encryption of the following SAML v2.0 elements: <EncryptedID>, <EncryptedAttribute>.

6.4.1

MUST

Refers to the use of appropriately secured SSL/TLS for browser-to-server message exchanges.

6.4.1

MUST

Refers to the digital signing of <Assertion> elements.

6.4.1

MAY

As above, without encrypting <Assertion> elements if agreed by the exchanging parties.

6.4.1

MUST

As above but refers to the mandatory use of encryption for <EncryptedAssertion>

6.4.1

MAY

Refers to the use of SSO Binding Set 1 for all Service Risk Categories.

6.4.1

MUST

Refers to the protection of messages with <OneTimeUse> when using the POST profile.

6.4.2

MAY

Refers to the optional encryption of the following SAML v2.0 elements: <NameID> in the <AuthnRequest>.

6.4.2

MUST

Refers to verification of the <ArtifactResolve> by an XML Signature or an alternative such as the GSN.

6.4.2

MUST

Refers to digital signing of <Assertion> elements.

6.4.2

MAY

Refers to the use of SSO binding set 2 for all Service Risk Categories.

6.4.3

MUST

Refers to the successful parsing and validation of messages against the SAML v2.0 schema.

6.4.3

SHOULD

Refers to the returning of a response to any SAML message received.

6.4.3

MUST

Refers to messages requiring encryption to be encrypted with the sender's public key.

6.4.3

MUST NOT

Refers to the processing of a SAML message if the current time does not meet the conditions.

6.4.3

MUST

Refers to the protection of messages with <OneTimeUse> when using the POST profile.

[ Previous | Contents | Next ]