Community Review in progress!
This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list (participants@incommon.org).
This document is intended for implementors of SAML software, that is, software that supports SAML Web Browser SSO.
Contents
This document summarizes a set of implementation requirements that will eventually form the basis of an InCommon SAML Implementation Profile. These requirements are a superset of the implementation features required to support the saml2int deployment profile, which reflects a substantial amount of best practice within the global higher education community.
Basic Metadata Requirements
This section includes a basic set of metadata requirements for both IdP and SP deployments.
Metadata Extensions
Support for SAML Metadata
Support the following OASIS specifications (linked on the OASIS Security Services Technical Committee wiki page):
Support the following batch metadata process:
consume SAML metadata at least daily (e.g., http://md.incommon.org/InCommon/InCommon-metadata.xml)
root element:
<md:EntitiesDescriptor>
root element contains an arbitrary number of
<md:EntityDescriptor>
child elementsSupport the following metadata security model:
the metadata file is signed using XML Signature
the signature uses the SHA-256 digest algorithm
the signature on every metadata file MUST be verified using a well-known, trusted public key
Metadata Signing Certificate for the above metadata file
the root element is decorated with a
validUntil
XML attribute, which MUST be validated (i.e., not expired and not too far into the future)Process the content of the SAML2 metadata file as follows:
Run-time configuration of SAML profiles (technical trust configuration) managed via SAML Metadata alone and should allow basic interop with any SP for which metadata is supplied, without the local admin having to “enable access” for that SP
Gracefully accept (and possibly ignore) any and all well-formed extension content (see note at top of document)
Accept and allow the use of long-lived, self-signed, end entity certificates
as specified in the Metadata Interoperability Profile, an expired certificate is treated like any other certificate
likewise the signature on end entity certificates is irrelevant (either SHA-1 or SHA-2, it doesn’t matter)
To fully support key rollover, the implementation MUST support the following features:
An implementation MUST be able to consume and utilize two or more signing keys bound to a single role descriptor. There are two cases that MUST be supported:
Both
<md:KeyDescriptor use="signing">
and<md:KeyDescriptor use="signing">
elements in a single role descriptorBoth
<md:KeyDescriptor use="signing">
and<md:KeyDescriptor>
elements in a single role descriptorIf an implementation supports inbound encryption, it MUST be configurable with up to two decryption keys.
An implementation MAY support (i.e., consume and utilize) multiple encryption keys of the same type per role descriptor in metadata. In particular, the implementation MAY support two
<md:KeyDescriptor>
elements (with no use XML attribute) in a single role descriptor, but this is not strictly required since it can usually be avoided in practice. Note that supporting multiple key types for encryption (e.g., RSA and EC) implies support for multiple keys in metadata.
IdP Requirements
All IdP deployments MUST satisfy the Basic Metadata Requirements listed above.
Level 1 IdP Requirements
Support for SAML V2.0 Web Browser SSO as defined in the SAML V2.0 Profiles specification as updated by Errata (linked on the OASIS Security Services Technical Committee wiki page)
Assuming SP metadata is available, must respond to any valid AuthnRequest. If unable to satisfy a given request, must respond with a SAML error.
Support for signature creation and validation with 2048-bit and larger RSA keys and at least the SHA-1 and SHA-256 digest algorithms. Signing at either or both of the Response and Assertion layers MUST be supported.
Support for assertion encryption via at least the AES-CBC and AES-GCM data encryption and RSA-OAEP key transport algorithms.
Support for configuring signing and encryption behavior based on the identity of an SP.
Support for the MACE-Dir SAML Attribute Profiles
Support the use of a “default attribute release policy”. If there is no policy associated with a requesting SP, then the default policy is used.
Support the use of an attribute release policy for a specific SP
Support for the “exact” RequestedAuthnContext operator (returning an error or selecting from among multiple login methods, as appropriate)
In general, for the SAML profile(s) supported, all content and features defined by the standard should be evaluated for consideration, and if not supported should be fully documented as such.
Level 2 IdP Requirements
Support the use of an attribute release policy that acts based on the presence of specific EntityAttributes in metadata (via the 3-tuple Name, NameFormat, and AttributeValue)
Support the use of an attribute release policy that acts based on the presence of specific RequestedAttribute elements in metadata (via the 3-tuple Name, NameFormat, and optionally AttributeValues)
Support the SAML 2 ForceAuthn feature
Support the SAML 2 IsPassive feature
Support for all SAML-defined RequestedAuthnContext operators (exact, minimum, maximum, better)
Support for the SAML 2 SingleLogout profile and the SAML V2.0 Asynchronous Single Logout Protocol Extension
Support for the SAML V2.0 Enhanced Client or Proxy Profile Version 2.0
Support for some mechanism for user-granted consent to release attributes
Support for the SAML V2.0 Metadata Profile for Algorithm Support, allowing control over selected signing and encryption algorithms based on metadata.
SP Requirements
All SP deployments MUST satisfy the Basic Metadata Requirements listed above.
Level 1 SP Requirements
Allow flexible configuration of requirements for encrypted and/or signed assertions - allow deployer to require either, both, or none.
Support for SAML V2.0 Web Browser SSO as defined in the SAML V2.0 Profiles specification as updated by Errata (linked on the OASIS Security Services Technical Committee wiki page)
Support for the MACE-Dir SAML Attribute Profiles
Must allow use of a transient NameId (see section 8.3 of OASIS SAML 2.0 core http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
References
- SAML V2.0 Metadata Extension for Entity Attributes https://wiki.oasis-open.org/security/SAML2MetadataAttr
- SAML V2.0 Identity Assurance Profiles https://wiki.oasis-open.org/security/SAML2IDAssuranceProfile
- SAML V2.0 Metadata Extensions for Login and Discovery User Interface https://wiki.oasis-open.org/security/SAML2MetadataUI
- more