Table of Contents

You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » New Zealand Security Assertion Messaging Standard » Table of Contents

This document contains the following sections:

O Foreword

Part 1 - Overview of NZ SAMS

Overview of Part 1
1 Introduction
2 Scope

2.1 Legislative obligations remain
2.2 In scope
2.3 Out of scope
2.4 Rationale for scope

3 Background

3.1 Concepts
3.2 Authentication standards
3.3 All-of-government authentication services

4. Application of Standard

4.1 Audience
4.2 NZ e-GIF status
4.3 Accessing advice on this Standard
4.4 Interpretation
4.5 Conformance and compliance with this Standard

4.5.1 Principles
4.5.2 Conformance and compliance for products and applications

4.6 Definitions

5. Guiding Principles for NZ SAMS

5.1 Introduction to identity federation
5.2 NZ government use cases and usage patterns
5.3 Significant issues in federated identity management
5.4 The OASIS SAML v2.0 solution
5.5 Entities, parties and authorities in OASIS SAML v2.0
5.6 Overarching business and design rules for NZ SAMS

6. Authentication: OASIS SAML v2.0 Profiles and Bindings for New Zealand Government Deployments.

6.1 Authentication: Profiles and Bindings introduction
6.2 Authentication: NZ government generic usage patterns mapped to SAML v2.0 Profiles

6.2.1 SP initiated Web Browser SSO profile
6.2.2 IdP Proxy (IdP Extended)
6.2.3 SP initiated with Name Identifier Mapping profile
6.2.4 Authentication: OASIS SAML v2.0 profile selection

6.3 Authentication: OASIS SAML v2.0 SSO Bindings

6.3.1 OASIS SAML v2.0 SSO bindings – introduction
6.3.2 OASIS SAML v2.0 SSO bindings – recommendations
6.3.3 OASIS SAML v2.0 SSO bindings – selection criteria
6.3.4 Encryption and digital signature considerations

6.4 Deploying selected SAML v2.0 SSO bindings - Compliance Overview

6.4.1 SSO binding set 1 – HTTP Redirect and HTTP POST
6.4.2 SAML v2.0 SSO binding set 2 – HTTP Redirect and HTTP Artifact with the Artifact Resolution profile
6.4.3 Message acceptance and graceful failure – guiding principles

7. Summary of Compliance Requirements from Part 1

Part 2 - Constraints on OASIS SAML v2.0 for New Zealand Government Deployments as NZ SAMS

Overview of Part 2
8. NZ SAMS Constraints on OASIS SAML v2.0 Conformance Requirements
9. NZ SAMS Constraints on OASIS SAML v2.0 Metadata
10. NZ SAMS Constraints on OASIS SAML v2.0 Web Browser SSO Profile
11. NZ SAMS Constraints on OASIS SAML v2.0 Bindings
12. NZ SAMS Constraints on OASIS SAML v2.0 Core (Assertions and Protocols)
13. NZ SAMS Constraints on OASIS SAML v2.0 Authentication Context
Working group representation
Acknowledgement
Copyright
Referenced documents
Latest revisions
Review of standards

Appendices

Appendix A - Agency Use Cases and Usage Patterns

A1 - Education sector ESAA project: GLS key – Redirect->Artifact binding
A2 - Generic example of a user obtaining an assertion of identity
A3 - MAF SSO scenario 2 – shared transactions
A4 - All-of-government authentication: user authentication at the GLS

Appendix B - OASIS SAML v2.0 Profiles and Bindings Selection

B1 - Selection criteria principles
B2 - SAML v2.0 specifications and profiles for constraint into NZ SAMS for Release 1.0 – authentication assertion messages
B3 - SAML v2.0 specifications and profiles for constraint into NZ SAMS for subsequent releases

Appendix C - Cookies: Summary Guidance for Implementers
Appendix D: Encapsulation of Application Layer Attributes in SAML SSO Exchange
Appendix E: Issues for the Future

Tables

Table 1 – Authentication standards and documents
Table 2 – Conformance and compliance requirements
Table 3 – Message flows for SSO binding set one
Table 4 – Message flows for SSO binding set two
Table 5 – Summary of Part 1 compliance requirements
Table 6 – NZ SAMS constraints on OASIS SAML v2.0 conformance requirements
Table 7 – NZ SAMS constraints on OASIS SAML v2.0 metadata
Table 8 – NZ SAMS constraints on the OASIS SAML v2.0 Web Browser SSO Profile
Table 9 – NZ SAMS constraints on the OASIS SAML v2.0 bindings
Table 10 – NZ SAMS constraints on the OASIS SAML v2.0 core (Assertions and Protocols)
Table 11 – NZ SAMS constraints on OASIS SAML v2.0 authentication context
Table B1 – SAML v2.0 specifications and profiles for constraint into NZ SAMS for Release 1.0 – authentication
Table B2 - SAML v2.0 specifications and profiles for constraint into NZ SAMS for subsequent releases

Figures

Figure 1 – Outline of interactions with all-of-government authentication services
Figure 2 – Generic NZ government usage pattern
Figure 3 – SP initiated Web SSO profile
Figure 4 – IdP Proxy (IdP Extended)
Figure 5 – SP initiated with Name Identifier Mapping profile
Figure 6 – SSO binding set 1 – HTTP Redirect and HTTP Post
Figure 7 – SAML v2.0 SSO binding set 2 – HTTP Redirect and HTTP Artifact with the Artifact Resolution profile
Figure A1 – ESAA use case
Figure A2 – Interaction Model for ESAA usage of SAML v2.0
Figure A3 – Assert Identity (Functional Model)
Figure A4 – Generic example of a user obtaining an assertion of identity (Interaction Model)
Figure A5 – MAF SSO scenario 2 – shared transactions (Functional Model)
Figure A6 – Overview of messaging (Functional Model)
Figure A7 – Interaction Model for GLS SAML v1.1 implementation

[ Previous | Next ]

Tabs

Part 1 - Overview of NZ SAMS

Part 2 - Constraints on OASIS SAML v2.0 for New Zealand Government Deployments as NZ SAMS

Appendices

Tables

Figures