Note that this page has been deprecated. The information it contains is no longer current. See Kantara's SAML V2.0 Implementation Profile for Federation Interoperability for current information. |
This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list (participants@incommon.org). |
This material is geared toward implementors of SAML software, primarily software that supports the SAML Web Browser SSO profile, though some of the material is generally applicable to other SAML profiles. It is not specifically aimed at deployers (i.e., the typical InCommon member).
This document summarizes a set of preliminary implementation requirements that may eventually form the basis of one or more InCommon SAML Implementation Profiles (hence the document title). Use of software supporting such a profile is not now, nor likely to be in the future, a requirement for participation in InCommon, but it does reflect the accumulation of experience around the software features required to support more robust and effective deployments within the federation, which elevates the federations value for all members.
These requirements are a superset of the implementation features required to support the saml2int deployment profile, which reflects a substantial amount of best practice within the global higher education community, and is itself expected to undergo further changes that will more closely align the deployment profile with the requirements outlined in this draft.
Because this document is a DRAFT, implementors are cautioned that it may (and likely will) change before taking final form and therefore implementors should be involved with the evolution of this document.
Contents
The extensibility of SAML is of paramount importance since it allows deployments to evolve and meet future needs. The SAML standard has explicit requirements for extensibility in both metadata and in protocol messages, and implementations MUST successfully consume any and all well-formed extensions. Most extension points in SAML have optional semantics, which means that ignoring extension content is a valid and acceptable practice. Unless otherwise noted as a required feature, <Extensions>
elements in metadata and protocol messages MAY be ignored but MUST NOT result in software failures.
This section includes a basic set of SAML metadata requirements for both IdP and SP implementations. Support of metadata was strictly optional in the original SAML standard, but it is a critical component of modern SAML deployments.
MUST support SAML Metadata and the following OASIS specifications (linked on the OASIS Security Services Technical Committee wiki page):
SAML V2.0 Metadata [SAML2MD] as updated by Errata [SAML2Errata]
SAML V2.0 Metadata Schema [SAML2MD-xsd]
SAML V2.0 Metadata Interoperability Profile [SAML2MDIOP]
MUST support the routine consumption of SAML metadata from a remote location via HTTP on a scheduled/recurring basis, with the content of the metadata automatically applied upon successful verification. HTTP caching and compression SHOULD be supported
MUST support the consumption of SAML metadata rooted in either <md:EntityDescriptor>
or <md:EntitiesDescriptor>
elements (in the latter case containing any number of child elements)
MUST support metadata verification based on verification of an XML Signature (see #algorithms for requirements) against a well-known key. Support for verification by certificate MAY be supported but it MUST be possible to configure verification based solely on the public key in a certificate.
validUntil
XML attribute, and MUST have the ability to enforce limitations on the duration of validity (e.g., it must be possible to block consumption of metadata without such an attribute or one that is too far into the future)MUST support key rollover via SAML metadata (see #key-rollover requirements in the next section)
To support seamless key rollover via SAML metadata, implementations MUST support the following features:
Implementations MUST be able to consume and utilize two or more signing keys bound to a single role descriptor in metadata. To verify a signature, an implementation MUST try each signing key (in unspecified order) until the signature is verified or there are no more signing keys (in which case signature verification fails).
If an implementation supports inbound encryption, it MUST itself be configurable with up to two decryption keys (this is not a metadata requirement but applies to the configuration of keys used by the implementation).
An <md:KeyDescriptor> element in metadata that contains no use XML attribute MUST be valid as either a signing or encryption key. |
Implementations MUST support the following XML Signature digest algorithms:
http://www.w3.org/2001/04/xmlenc#sha256
http://www.w3.org/2000/09/xmldsig#sha1
Implementations MUST support the following XML Signature signing algorithms:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
http://www.w3.org/2000/09/xmldsig#rsa-sha1
Implementations MUST support the following XML Encryption block encryption algorithms:
http://www.w3.org/2001/04/xmlenc#aes128-cbc
http://www.w3.org/2001/04/xmlenc#aes256-cbc
http://www.w3.org/2009/xmlenc11#aes128-gcm
http://www.w3.org/2009/xmlenc11#aes256-gcm
Implementations MUST support the following XML Encryption key transport algorithms:
http://www.w3.org/2009/xmlenc11#rsa-oaep
Support for other algorithms of all types is encouraged but not required.
All IdP implementations MUST satisfy the Basic Requirements listed above (#basic-requirements). In particular, a conforming IdP implementation MUST support the basic SAML Metadata requirements listed above (#saml-metadata).
Implementations MUST support the SAML V2.0 Web Browser SSO profile as defined in SAML V2.0 Profiles [SAML2Prof] as updated by Errata [SAML2Errata] (linked on the OASIS Security Services Technical Committee wiki page). With respect to this profile:
MUST support the HTTP-POST binding for responses
MUST support signing at either or both of the Response and Assertion layers
MUST support the MACE-Dir SAML Attribute Profiles
MUST support a “default attribute release policy” controlling the inclusion of SAML Attributes in an assertion such that if there is no policy associated with a requesting SP, then the default policy is used
MUST support the creation of attribute release policies tied to a specific SP by entityID
MUST support the “exact” <RequestedAuthnContext>
operator (returning an error or selecting from among multiple login methods, as appropriate)
In general, for the SAML profile(s) supported, all content and features defined by the standard should be evaluated for consideration, and if not supported should be fully documented as such.
MUST support dynamic (just-in-time) query of signed per-entity SAML metadata per the Metadata Query Protocol specifications. [MDQ-protocol] Verification of the XML Signature on the <md:EntityDescriptor>
element is identical to the procedure outlined in the #saml-metadata section
MUST support the creation of attribute release policies that act based on the presence of specific <mdattr:EntityAttributes>
extension elements [SAML2MDATTR] in SP metadata (via the 3-tuple Name, NameFormat, and AttributeValue)
<mdui:UIInfo>
extension element [SAML2MDUI] in SP metadataMUST support the creation of attribute release policies that act based on the presence of the <mdrpi:RegistrationInfo>
extension element [SAML2MDRPI] in SP metadata (via the value of the registrationAuthority
XML attribute)
MUST support the creation of attribute release policies that act based on the presence of specific <md:RequestedAttribute>
elements in SP metadata (via the 3-tuple Name, NameFormat, and optionally AttributeValue(s))
MUST support the SAML 2 ForceAuthn feature
MUST support the SAML 2 IsPassive feature
MUST support all SAML-defined <RequestedAuthnContext>
operators (exact, minimum, maximum, better)
MUST support the SAML V2.0 SingleLogout profile (in SAML2Core) and the SAML V2.0 Asynchronous Single Logout Protocol Extension [SAML2ASLO]
<EncryptedID>
element, and in the case of decryption via at least two decryption keys simultaneouslyMUST support the SAML V2.0 Enhanced Client or Proxy Profile Version 2.0 [SAML2ECP] with applicable requirements pertaining from the Browser profile requirements noted in the Basic requirements above
MUST support a mechanism for user-mediated consent to release attributes
MUST support the SAML V2.0 Metadata Profile for Algorithm Support [SAML2MDAlgSupport]
The list of IdP requirements is a draft, but the list of SP requirements is really a draft. It's considerably less detailed and less reviewed at this stage. |
All IdP implementations MUST satisfy the Basic Requirements listed above (#basic-requirements). In particular, a conforming SP implementation MUST support the basic SAML Metadata requirements listed above (#saml-metadata).
Implementations MUST support the SAML V2.0 Web Browser SSO profile as defined in SAML V2.0 Profiles [SAML2Prof] as updated by Errata [SAML2Errata] (linked on the OASIS Security Services Technical Committee wiki page). With respect to this profile:
MUST support the HTTP-POST binding for responses
MUST support signing at either or both of the Response and Assertion layers
MUST support the processing of any string-based <NameID>
format and any string-based <saml:Attribute>
formulations, notably the MACE-Dir SAML Attribute Profiles
[SAML2MD-xsd] http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
[SAML2MDIOP] OASIS SAML V2.0 Metadata Interoperability Profile Version 1.0 https://wiki.oasis-open.org/security/SAML2MetadataIOP
[SAML2Errata] OASIS SAML V2.0 Errata 05 http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.pdf
[SAML2Prof] Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf