cdaefa:EFA Identity Assertion SAML2 Binding
Version vom 21. März 2013, 21:22 Uhr von Jcaumanns (Diskussion | Beiträge)
SAML 2.0 Profile for ECR Identity Assertions
| Assertion Element | Opt | Usage Convention | |||
|---|---|---|---|---|---|
| @Version | R | MUST be “2.0” | |||
| @ID | R | URN encoded unique identifier (UUID) of the assertion | |||
| @IssueInstant | R | time instant of issuance in UTC | |||
| Issuer | R | address URI that identifies the endpoint of the issuing service | |||
| Subject | R | This element defines the subject confirmation method of the user in order to use the Identity Assertion as a protection token. Moreover, it defines the subject name identifier that accords with the user identity. | |||
| NameID | R | Identifier of the HP encoded as an X.509 subject name, an e-Mail address or as a string value (unspecified format). Only identifiers must be used that can be long-term tracked back to an individual person. | |||
| @Format | R | MUST be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | |||
| SubjectConfirmation | R | ||||
| @Method | R | This element MUST hold a URI reference that identifies a protocol to be used to authenticate the subject.[SAML2.0core] The value of this element MUST be set to | |||
| SubjectConfirmationData | R | ||||
| ds:KeyInfo | R | The XML Signature [XMLSignature] element MUST embed a cryptographic key that is only held by the user. This can be the user’s public key (ds:KeyValue/ds:RSAKeyValue), the complete user’s X.509 certificate (ds:X509Data/ds:X509Certificate), or an encrypted symmetric key (xenc:EncryptedKey [XMLEncryption]). This symmetric key MUST be encrypted by using the public key of the consumer service’s certificate [eFA PKI 1.2]. | |||
| Conditions | R | ||||
| @NotBefore | R | time instant from which the assertion is useable. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. | |||
| @NotOnOrAfter | R | time instant at which the assertion expires. This condition MUST be assessed by the assertion consumer to proof the validity of the assertion. The maximum validity timespan for an HCP Identity Assertion MUST NOT be more than 4 hours. | |||
| AuthnStatement | R | ||||
| @AuthnInstant | R | time instant of HP authentication in UTC | |||
| @SessionNotOnOrAfter | O | Time instant of the expiration of the session | |||
| AuthnContext | R | ||||
| AuthnContextClassRef | R | A URI reference that specifies the type of authentication that took place. The URI reference identifying the accepted authentication protocol is urn:oasis:names:tc:SAML:2.0:ac:classes:X509 | |||
| AttributeStatement | R | HP identity attributes and permissions (see section below for details) | |||
| ds:Signature | R | Enveloped XML signature of the issuer of the HCP Identity Assertion (see section below for details). | |||
Assertion Signature
Every HP Identity Assertion MUST be signed by its issuer. The XML signature MUST be applied by using the saml:Assertion/ds:Signature element as defined below.
| Signature Parameter | Usage Convention |
|---|---|
| CanonicalizationMethod | SHOULD be http://www.w3.org/2001/10/xml-exc-c14n# |
| Transformation | Enveloped signature transform acc. to section 6.6.4 of [W3C XMLDSig] SHOULD be used (http://www.w3.org/2000/09/xmldsig#enveloped-signature). In addition, exclusive canonicalization SHOULD be defined as transformation (http://www.w3.org/2001/10/xml-exc-c14n#, acc. [W3C XMLDSig] and [W3C XML-EXC 1.0]). As inclusive namespaces other prefixes than the ones defined in EFA Namespaces MUST NOT be used. |
| SignatureMethod | For signing assertions the signature method http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or |
| DigestMethod | For signing assertions the digest method http://www.w3.org/2000/09/xmldsig#sha1 or |
| KeyInfo | This element MUST either contain a wsse:SecurityTokenReference element which references the X.509 certificate of the assertion’s issuer by using a subject key identifier OR contain a ds:X509Data element which contains the X.509 certificate of the assertion issuer. |
