- Title
- Web Authentication Profile
- Description
- The Web Authentication Profile provides standards and guidance in support of principal authentication and exchange of authenticated principal's identity attributes between Mission Network Participants.
Taxonomy
Standards
Guidance
Identity providers must support the following components of the SAML 2.0 specification
- Profiles Web Browser SSO Profile and Single Logout Profile.
- Bindings HTTP Redirect Binding and HTTP POST Binding.
When making authentication requests to Identity Providers, the requesting SP/RP must fulfill the following requirements
- All Authentication Requests shall be signed.
- HTTP-Redirectbinding shall be used for the transmission of Authentication Request messages.
Authentication responses from an identity provider must fulfill the following requirements
-
HTTP-POSTbinding shall be used for the receipt of messages.
-
SAML Assertions shall contain a element with the following format to enable Single Logout urn oasis names tc SAML 2.0 nameid-format transient.
-
Allelements shall contain a NameFormat ofurn oasis names tc SAML 2.0 attrname-format uri . Required attribute names are listed in the Context section.
-
element, specified in the XML Digital Signature Core specification [1], inside the element shall be left empty.
-
If encryption is used for SAML Response messages, the assertion element shall be encrypted as a whole. Encryption of only Attributes and/or NameID is not allowed for SAML Response messages. Thus, SAML Response messages shall contain a element in case encryption is used.
-
For Single Logout request messages element shall not be used. Instead transient NameIDs shall be used to hide the user identity.
In order to make web authentication more robust, implementations should allow five (5) minutes of clock skew in both directions when interpreting timestamps in SAML assertions.
[1] XML Signature Syntax and Processing Version 2.0, W3C Working Group Note 23 July 2015,https //www.w3.org/TR/xmldsig-core2/#sec-KeyInfo