1. Executive Summary

This Security Assertion Messaging Framework has been written for Chief Information Officers and other senior IT Managers in the New Zealand State Services with responsibility for developing secure online services.

In order to deliver shared services as outlined in the Networked State Services Development Goal, agencies need to agree a common approach for all-of-government and, where applicable and permissible, sector-wide identity management (identity federation).

There is only a small range of technologies that enable identity federation. The identity management industry is converging on OASIS SAML v2.0 as the universal security assertion messaging standard.

SAML v2.0, like many international interoperability standards, has a high degree of flexibility to ensure a wide appeal and uptake. However, this also creates implementation issues. The optional elements and constraints in SAML v2.0 must be agreed by agencies before they can use it to interoperate. The New Zealand Security Assertion Messaging Standard (NZ SAMS) is the New Zealand Government's approach to ensuring the interoperability of shared services that utilise SAML v2.0. NZ SAMS prescribes and constrains SAML v2.0 to an agreed deployment profile for New Zealand government agencies.

This Framework has been developed as a supplementary information resource for NZ SAMS in order to encourage CIOs and senior IT Managers to recommend that their agencies adopt SAML v2.0. Accordingly, it focuses on the secure messaging requirements for online authentication, and outlines the technical issues, emerging solutions and the creation of NZ SAMS.

The State Services Commission recommends that agencies consider adopting a SAML v2.0-compliant approach for all new secure online services because it will:

• Enhance interoperability. The future design of all new online Government services is expected to support SAML v2.0 for security assertion messaging. This standard is noted in the e-GIF. Supporting an alternative standard will make interoperation with other agencies much more difficult, time-consuming and expensive.
• Ease integration with all-of-government authentication services. The Government Logon Service (GLS) and the Identity Verification Service (IVS) will use SAML v2.0. All agencies will be able to more easily leverage the benefits of these services by selecting a SAML v2.0-compliant product, interface or development approach. Agencies can focus on the issues of providing an online service, while minimising the issues associated with integrating a non-compliant security interface. 
• Assure product support. Major vendors of access management and security products have shown support for SAML v2.0. Adopting SAML v2.0 should make a wide range of commercial and open source products available for consideration and selection. Using the SAML v2.0 specification for all new secure online services will enable future support of identity federation, even if this functionality is not immediately used.

Agencies are reminded that adopting the approach outlined in this Framework and the NZ SAMS does not relieve them of obligations under privacy legislation, continuity planning, and management of the risks associated with liability and trusted relationships.