Title
Web Authentication Profile
Description
The Web Authentication Profile provides standards and guidance in support of principal authentication and exchange of authenticated principal's identity attributes between Mission Network Participants.

Reference document

Org
FMN
Pubnum
Date
2022-12-02
Version
Title
Proposed FMN Spiral 5 Specification

Taxonomy

Standards

Obligation: MANDATORY, Lifecycle: CANDIDATE

Guidance

Identity providers must support the following components of the SAML 2.0 specification

  • Profiles Web Browser SSO Profile and Single Logout Profile.
  • Bindings HTTP Redirect Binding and HTTP POST Binding.

When making authentication requests to Identity Providers, the requesting SP/RP must fulfill the following requirements

  • All Authentication Requests shall be signed.
  • HTTP-Redirectbinding shall be used for the transmission of Authentication Request messages.

Authentication responses from an identity provider must fulfill the following requirements

  • HTTP-POSTbinding shall be used for the receipt of messages.

  • SAML Assertions shall contain a element with the following format to enable Single Logout urn oasis names tc SAML 2.0 nameid-format transient.

  • Allelements shall contain a NameFormat ofurn oasis names tc SAML 2.0 attrname-format uri . Required attribute names are listed in the Context section.

  • element, specified in the XML Digital Signature Core specification [1], inside the element shall be left empty.

  • If encryption is used for SAML Response messages, the assertion element shall be encrypted as a whole. Encryption of only Attributes and/or NameID is not allowed for SAML Response messages. Thus, SAML Response messages shall contain a element in case encryption is used.

  • For Single Logout request messages element shall not be used. Instead transient NameIDs shall be used to hide the user identity.

In order to make web authentication more robust, implementations should allow five (5) minutes of clock skew in both directions when interpreting timestamps in SAML assertions.

[1] XML Signature Syntax and Processing Version 2.0, W3C Working Group Note 23 July 2015,https //www.w3.org/TR/xmldsig-core2/#sec-KeyInfo

Status

URI

History

Flag Date RFC Version
added 2023-01-23 14-32 15
UUID
b484bde8-987a-43ff-9e20-6ef145e25eaa

Utilization

This profile is used by the following profiles: