You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » New Zealand Security Assertion Messaging Standard » 2. Scope

2. Scope

NZ SAMS prescribes messaging standards derived from the OASIS SAML v2.0 Standard for communicating a range of security assertions (authentication, identity attributes and authorisation) in New Zealand government online implementations.

2.1 Legislative obligations remain

Agencies are reminded that adopting NZ SAMS does not relieve them of obligations under the Privacy Act 1993 and other privacy legislation, continuity planning, and management of the risks associated with liability and trusted relationships.

All information collected and stored by a NZ government agency is deemed to be official information, and must be protected by strict adherence to promulgated policy statements such as Security in the Government Sector (SIGS) and the Protective Security Manual (PSM). Agencies must undertake a risk assessment for those risks associated with the delivery of their services through an interactive online channel. Agencies should follow the Australian and New Zealand Standard AS/NZS 4360:2004 on risk management for their authentication systems. Further advice on the application of AS/NZS 4360:2004 is set out in SAA/SNZ HB 436:2004 and SAA/SNZ 231:2004. Agencies also need to ensure there is adequate business continuity planning for their online services.

Many authentication risks may be addressed by ensuring that the authentication system is properly protected. The NZ e-GIF authentication standards do not give general advice for securing authentication systems. Agencies should comply with SIGS, NZSIT 400, AS/NZ ISO/IEC 17799:2006 and AS/NZ ISO/IEC 27001:2006.

2.3 Work items in scope

This Standard only applies to information conveyed in an assertion or similar security message enabling the act of authentication, authorisation and identity verification in the exchange of 'policy and privacy' information; that is, information classified as either UNCLASSIFIED, IN-CONFIDENCE, or SENSITIVE as per the Government's security policy statements.

For clarity, the scope of this Standard applies to:

any New Zealand government shared or joined-up service delivered online, including but not limited to the all-of-government authentication services - the GLS and the proposed IVS
support authentication of personal entities. (While not precluding its use in a non-personal context, such as a "machine" entity or corporate body, the scope of the Standard does not encompass such usage patterns)
the format and content of messages conveyed in the act of authentication, authorisation and identity federation and does not extend to the classification of the information subsequently conveyed in a message enabled by those acts.

2.3 Priority of work items in scope

The initial release of this Standard will prescribe the OASIS SAML v2.0 security assertions related to authentication in New Zealand government online implementations. Authentication has been addressed first due to the design and subsequent development of the GLS - one of the all-of-government authentication services - as well as other sector-based authentication provider services.

Future releases of this Standard are planned, to prescribe the secure conveyance of:

service user identity attributes
service user authorisation.

2.4 Rationale for in-scope work items

In this first release this Standard profiles the New Zealand government agency deployment of OASIS SAML v2.0. It is:

restricted to proof-of-service user authentication securely conveyed from an authenticating agency to a service agency, thereby providing an all-of-government approach to online authentication - with Authentication Key/Identity Provider (IdP) websites providing a logon service for participating Service Agency/Provider (SP) websites
based on usage patterns derived from proposed implementations within the New Zealand government
applicable to web browsers only and excludes access by other HTTP-enabled user devices
focused on authentication assertions prioritised over those of identity and authorisation (since the latter do not yet have detailed use case support).

2.5 Work items out of scope

The following are outside the scope of this Standard for this first release:

Public Key Infrastructure (PKI) implementation
Web Services implementation
Detailed implementation guidance (although outline deployment guidance is provided in selected sections and will be merged into a companion Implementation Guide based on a proposed SAML v2.0 Implementation Guide and early implementation experience).

[ Previous ][ Next ]