Skip to content.
|Networking government in New Zealand.
Archive

Archived articles:

See archives for this section
 
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » New Zealand Security Assertion Messaging Standard » Part 2 - Constraints on OASIS SAML v2.0 for New Zealand Government Deployments as NZ SAMS

Part 2 - Constraints on OASIS SAML v2.0 for New Zealand Government Deployments as NZ SAMS

[ Table of Contents ]

Overview of Part 2

Part 2 contains complex technical material suitable for enterprise architects, security analysts and developers.

Readers of Part 2 should be aware that NZ SAMS is a constrained deployment profile of the SAML v2.0 standard first published by OASIS in March 2005. There is no intention, nor requirement, to rewrite or redevelop OASIS SAML v2.0. OASIS SAML v2.0 remains the 'source' to all deployers of SAML in the New Zealand Government. To support this notion, NZ SAMS simply constrains a single implementation approach from the various options offered by OASIS SAML v2.0. This constraint is in the interests of all-of-government interoperability within New Zealand.

The OASIS SAML v2.0 Specifications are published at www.oasis.org.

The following Specifications are prescribed by NZ SAMS in this release:

  • [SAMLConf] Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) v2.0, Oasis Standard, 15.3.2005, saml-conformance-2.0-os
  • [SAMLMeta] Cantor, Moreh, Philpott, Maler, eds., 'Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0', Oasis Standard, 15.3.2005, saml-metadata-2.0-os
  • [SAMLProf] Profiles for the OASIS Security Assertion Markup Language (SAML) v2.0, Oasis Standard, 15.3.2005, saml-profiles-2.0-os
  • [SAMLBind] Bindings for the OASIS Security Assertion Markup Language (SAML) v2.0, Oasis Standard, 15.3.2005, saml-bindings-2.0-os
  • [SAMLCore] Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v2.0, Oasis Standard, 15.3.2005, saml-core-2.0-os
  • [SAMLContext] Authentication Context for the OASIS Security Assertion Markup Language (SAML) v2.0, Oasis Standard, 15.3.2005, saml-authn-context-2.0-os.

The foregoing are supported by:

  • [SAMLSecurity] Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) v2.0, Oasis Standard, 15.3.2005, saml-sec-consider-2.0-os
  • [SAMLGlossary] Glossary for the OASIS Security Assertion Markup Language (SAML) v2.0, Oasis Standard, 15.3.2005, saml-glossary-2.0-os
  • [SAMLErrata] SAML v2.0 Errata, Approved Errata, 14.8.2007, sstc-saml-approved-errata-2.0.

The order of the specifications prescribed in the sections 8 to 12 of NZ SAMS is worth noting. The constraints of the Conformance and Metadata Specifications create the interoperability foundation for all New Zealand government implementations. The selected constraints from the SAML profiles, bindings, assertions and protocols reflect the usage patterns described in the agency use cases presented to the Working Group preparing NZ SAMS.

Deployers are strongly advised to familiarise themselves with the OASIS SAML v2.0 Specifications on the OASIS website link above, including the Auxiliary and Outreach Information, before continuing to read this Standard.

A particular auxiliary document worth noting is the Errata document [SAMLErrata]. It contains important corrections and clarifying text to the published SAML v2.0 Specifications. While the errata document is not yet a normative part of the formal SAML v2.0 OASIS Standard, the information in it provides insight into what the Security Services (SAML) Technical Committee 'meant' in certain areas of the Standard.

The constraint of OASIS SAML v2.0 into NZ SAMS is prescribed line-by-line from the original OASIS SAML v2.0 Specification. Readers are advised to have both the OASIS SAML v2.0 Specification and the NZ SAMS open and accessible. Readers then work through the documents line by line, noting where NZ SAMS constrains the deployment from the options provided by OASIS SAML v2.0.

Updates to this Standard and technical assistance such as sample conforming schemas may be placed on www.e.govt.nz from time to time.

Included in Part 2:

8. NZ SAMS Constraints on OASIS SAML v2.0 Conformance Requirements

9. NZ SAMS Constraints on OASIS SAML v2.0 Metadata

10. NZ SAMS Constraints on OASIS SAML v2.0 Web Browser SSO Profile

11. NZ SAMS Constraints on OASIS SAML v2.0 Bindings

12. NZ SAMS Constraints on OASIS SAML v2.0 Core (Assertions and Protocols)

13. NZ SAMS Constraints on OASIS SAML v2.0 Authentication Context


[ Previous | Contents | Next ]