Download - OIOSAML Local IdP Profile 1.0 - digst.dk
![Page 1: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/1.jpg)
OIOSAML Local Identity Provider Profile 1.0.2
Status: Published version
Date: 18.03.2020
![Page 2: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/2.jpg)
- 2 af 37 -
1 INTRODUCTION ............................................................................................... 5 1.1 PREFACE .......................................................................................................... 5
1.2 USAGE SCENARIOS ........................................................................................... 6
2 NOTATION AND TERMINOLOGY ................................................................ 7 2.1 REFERENCES TO SAML 2.0 SPECIFICATION ..................................................... 7
2.2 TERMINOLOGY ................................................................................................. 7
3 COMMON REQUIREMENTS ........................................................................... 9 3.1 GENERAL ......................................................................................................... 9
3.1.1 Clock Skew ....................................................................................................................... 9
3.1.2 Document Type Definitions .......................................................................................... 9
3.1.3 SAML entityIDs .............................................................................................................. 9
3.2 METADATA AND TRUST MANAGEMENT ......................................................... 10
3.2.1 Metadata Consumption and Use ................................................................................. 10
3.2.2 Metadata Production ..................................................................................................... 10
3.3 CRYPTOGRAPHIC ALGORITHMS ....................................................................... 11
4 SP REQUIREMENTS ....................................................................................... 13 4.1 WEB BROWSER SSO ....................................................................................... 13
4.1.1 Requests .......................................................................................................................... 13
4.1.2 Responses ....................................................................................................................... 16
4.1.3 LoA check ....................................................................................................................... 17
4.1.4 Discovery ........................................................................................................................ 17
4.2 SINGLE LOGOUT ............................................................................................ 17
4.2.1 Requests .......................................................................................................................... 17
4.2.2 Responses ....................................................................................................................... 18
4.2.3 Behavioral Requirements ............................................................................................. 18
4.2.4 Logout and Virtual Hosting ......................................................................................... 19
4.3 METADATA AND TRUST MANAGEMENT ......................................................... 19
4.3.1 Support for Multiple Keys ........................................................................................... 19
4.3.2 Metadata Content .......................................................................................................... 19
5 IDP REQUIREMENTS ..................................................................................... 21 5.1 WEB BROWSER SSO ....................................................................................... 21
5.1.1 Requests .......................................................................................................................... 21
5.1.2 Responses ....................................................................................................................... 22
5.1.3 Issuer ............................................................................................................................... 23
5.1.4 Subject Identifiers .......................................................................................................... 23
5.1.5 Subject Confirmation .................................................................................................... 23
5.1.6 Audience Restriction ..................................................................................................... 24
![Page 3: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/3.jpg)
- 3 af 37 -
5.1.7 Discovery via common domain .................................................................................. 24
5.2 SINGLE LOGOUT ............................................................................................ 25
5.2.1 Requests .......................................................................................................................... 25
5.2.2 Request Content ............................................................................................................ 25
5.2.3 Responses ....................................................................................................................... 25
5.3 ATTRIBUTE QUERY ........................................................................................ 26
5.3.1 Request Message ............................................................................................................ 26
5.3.2 Response Message ......................................................................................................... 27
5.3.3 Error handling ................................................................................................................ 27
5.4 METADATA AND TRUST MANAGEMENT ......................................................... 28
5.4.1 Support for Multiple Keys ........................................................................................... 28
5.4.2 Metadata Content .......................................................................................................... 28
6 ATTRIBUTE PROFILES .................................................................................. 29 6.1 GENERAL REQUIREMENTS ............................................................................. 29
6.2 COMMON ATTRIBUTES ................................................................................... 30
6.2.1 SpecVer attribute ........................................................................................................... 30
6.2.2 BootstrapToken attribute (N/A) ................................................................................ 30
6.2.3 Privilege attribute ........................................................................................................... 30
6.2.4 Level of Assurance attribute ........................................................................................ 30
6.2.5 Identity Assurance Level attribute .............................................................................. 30
6.2.6 Authentication Assurance Level attribute ................................................................. 31
6.2.7 Fullname attribute ......................................................................................................... 31
6.2.8 Firstname attribute ........................................................................................................ 31
6.2.9 Lastname attribute ......................................................................................................... 31
6.2.10 Alias attribute ................................................................................................................. 31
6.2.11 Email attribute ............................................................................................................... 32
6.2.12 CPR attribute .................................................................................................................. 32
6.2.13 Age attribute ................................................................................................................... 32
6.2.14 CPR UUID ..................................................................................................................... 32
6.3 NATURAL PERSON PROFILE (N/A) ................................................................ 33
6.3.1 PID attribute (N/A) ..................................................................................................... 33
6.4 PROFESSIONAL PERSON PROFILE ................................................................... 33
6.4.1 Persistent Identifier attribute (N/A) .......................................................................... 33
6.4.2 RID number attribute (N/A) ...................................................................................... 33
6.4.3 CVR number attribute .................................................................................................. 33
6.4.4 Organization name attribute ........................................................................................ 34
![Page 4: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/4.jpg)
- 4 af 37 -
6.4.5 Production unit attribute .............................................................................................. 34
6.4.6 SE Number attribute ..................................................................................................... 34
6.4.7 Authorized to Represent .............................................................................................. 34
7 REFERENCES ................................................................................................... 36
![Page 5: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/5.jpg)
- 5 af 37 -
1 Introduction1.1 Preface
ThisSAMLimplementationprofile(‘OIOSAMLLocalIdPProfile’)specifiesbehaviorandoptionsthatdeploymentsoftheSAMLV2.0WebBrowserSSOPro-file[SAML2Prof],andrelatedprofiles,arerequiredorpermittedtorelyon.Thedoc-umentisaimedatdevelopersandothertechnicalresourceswhoareinvolvedinde-veloping,configuringandtestingimplementationsandthereaderisassumedtobeintimatelyfamiliarwiththecoreSAML2.0specifications.
TheOIOSAMLprofileisgovernedbytheDanishAgencyforDigitisationandques-tionssurroundingtheprofilecanbesentto:nemlogin@digst.dk.FutureupdatestotheprofilewillbepublishedatDigitaliser.dk1andDigst.dkwhereotherrelatedre-sources(includingreferenceimplementationsoftheprofile)alsocanbefound.
Thecurrentdocumentisasub-profileofOIOSAML3.0.1targetedforaspecialusecaseinvolvingalocalIdentityProvider(orlocalIdP)authenticatingprofessionalusersfromoneormoreorganizationstowardsanIdentityBroker,whichthenbro-kerstheidentitytowardsthedownstreamServiceProvider.
Theusecaseisillustratedinthebelowfigure:
Thissub-profileinheritsmostrequirementOIOSAMLWebSSOprofile3.0butspeci-fiesafewdeviations.
Allheading-andrequirementnumbersarekeptfromtheoriginalOIOSAML3.0pro-fileinordertosimplifycomparisonsandimplementation.Furthermore,afewnota-tionalconventionsareapplied:
• UnchangedrequirementsfromOIOSAML3.0.1aremarkedingreenfont.• RequirementsfromOIOSAML3.0.1whichareomittedaremarkedinredfont,
andthecorrespondingtextisstrikedout.
1 https://www.digitaliser.dk/group/42063
![Page 6: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/6.jpg)
- 6 af 37 -
• Requirementsthatareneworchangedaremarkedinbluefont.
1.2 UsageScenarios
TheprofileisintendedforusewithinDanishpublicsectorfederationswhereinfor-mationaboutauthenticatedidentitiesiscommunicatedacrossorganizations.Thegoalistoachievestandardization,interoperability,securityandprivacy,whileena-blingre-useofcommonimplementations.OIOSAMLwillbethemaininterfaceforthepublic-sectorIdentityBrokerinDenmark(NemLog-in3).
Itshouldbenoted,thattheprofilehasbeendesignedwithflexibilityinmindtoe.g.allowindividualsectorstodefinetheirownattributeprofilesunderOIOSAML.Thus,adelicatetrade-offbetweeninteroperabilityandflexibilityhasbeenpursued.
![Page 7: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/7.jpg)
- 7 af 37 -
2 NotationandterminologyThekeywords"MUST","MUSTNOT","REQUIRED","SHALL","SHALLNOT","SHOULD","SHOULDNOT","RECOMMENDED","NOTRECOMMENDED","MAY",and"OPTIONAL"inthisdocumentaretobeinterpretedasdescribedinBCP14[RFC2119][RFC8174]when,andonlywhen,theyappearinallcapitals,asshownhere.
Thisspecificationusesthefollowingtypographicalconventionsintext:<ns:Ele-ment>,Attribute,Datatype,OtherCode.Thenormativerequirementsofthisspecificationareindividuallylabeledwithauniqueidentifierinthefollowingform:[OIO-EXAMPLE-01].Allinformationwithintheserequirementsshouldbeconsiderednormativeunlessitissetinitalictype.Italicizedtextisnon-normativeandisintendedtoprovideadditionalinformationthatmaybehelpfulinimplement-ingthenormativerequirements.
2.1 ReferencestoSAML2.0specification
WhenreferringtoelementsfromtheSAML2.0corespecification[SAML2Core],thefollowingsyntaxisused:
• <samlp:ProtocolElement>-forelementsfromtheSAML2.0Protocolnamespace.
• <saml:AssertionElement>-forelementsfromtheSAML2.0Assertionnamespace.
WhenreferringtoelementsfromtheSAML2.0metadataspecification[SAML2Meta],thefollowingsyntaxisused:
• <md:MetadataElement>
WhenreferringtoelementsfromtheXML-SignatureSyntaxandProcessingVersion1.1WWWCRecommendation[XMLSig],thefollowingsyntaxisused:
• <ds:Element>
2.2 Terminology
TheabbreviationsIdPandSPareusedbelowtorefertoIdentityProvidersandSer-viceProvidersinthesenseoftheirusagewithintheSAMLBrowserSSOProfileandSingleLogoutprofiles.Aproxy-IdPwillactinbothrolesi.e.asaSPtowardsthe‘real’IdPandasIdPtowardsthe‘real’SP.
Whetherexplicitorimplicit,alltherequirementslistedinthisdocumentaremeanttoapplytodeploymentsofSAMLprofilesandmayinvolveexplicitsupportforre-quirementsbySAML-implementingsoftwareand/orsupplementalsupportviaap-
![Page 8: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/8.jpg)
- 8 af 37 -
plicationcode.DeploymentsofaServiceProvidermayrefertobothstand-aloneim-plementationsofSAML,librariesintegratedwithanapplication,oranycombinationofthetwo.ItisdifficulttodefineaclearboundarybetweenaServiceProviderandtheapplication/serviceitrepresents,andunnecessarytodosoforthepurposesofthisdocument.
NotethatallrequirementsforIdPsinthisdocumentshouldbeunderstoodasre-quirementsforlocalIdPs,andallrequirementsforSPsshouldbeunderstoodasaimedforIdentityBrokerswhorequestauthenticationfromthelocalIdP.
![Page 9: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/9.jpg)
- 9 af 37 -
3 CommonRequirementsThischapterincludesmaterialofgeneralsignificancetobothIdPsandSPs.Subse-quentsectionsprovideguidancespecifictothoseroles.
3.1 General
3.1.1 Clock Skew [OIO-GE-01]
DeploymentsMUSTallowbetweenthree(3)andfive(5)minutesofclockskew — ineitherdirection — wheninterpretingxsd:dateTimevaluesinassertionsandwhenenforcingsecuritypoliciesbasedthereupon.
Thefollowingisanon-exhaustivelistofitemstowhichthisdirectiveapplies:NotBe-fore,NotOnOrAfter,andvalidUntil XMLattributesfoundon
<saml:Conditions>,
<saml:SubjectConfirmationData>,
<samlp:LogoutRequest>,
<md:EntityDescriptor>,
<md:EntitiesDescriptor>,
<md:RoleDescriptor>,and
<md:AffiliationDescriptor> elements.
3.1.2 Document Type Definitions [OIO-GE-02]
DeploymentsMUSTNOTproduceanySAMLprotocolmessagethatcontainsaDocumentTypeDefinition(DTD).DeploymentsSHOULDrejectmessagesthatcontainthem.
3.1.3 SAML entityIDs [OIO-GE-03]
DeploymentsMUSTbenamedviaanabsoluteURIwhosetotallengthMUSTNOTexceed256characters.Tosupporthavingawell-knownlocationfromwhichmetadatacanbedownloadedtheEntityIdentifierSHOULDbederivedfromtheinternetdomainnameoftheServiceProvidere.g.
https://saml.[domain name]
![Page 10: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/10.jpg)
- 10 af 37 -
AnentityIDSHOULDbechoseninamannerthatminimizesthelikelihoodofitchang-ingforpoliticalortechnicalreasons,includingforexampleachangetoadifferentsoft-wareimplementationorhostingprovider.
3.2 MetadataandTrustManagement
3.2.1 Metadata Consumption and Use [OIO-MD-01]
DeploymentsMUSTprovisiontheirbehaviorinthefollowingareasbasedsolelyontheconsumptionofSAMLMetadata[SAML2Meta]theprocessingrulesdefinedbytheSAMLMetadataInteroperabilityprofile[SAML2MDIOP]:
• indicationsofsupportforBrowserSSOandSingleLogoutprofiles
• selection,determination,andverificationofSAMLendpointsandbindings
• determinationofthetrustworthinessofXMLsigningkeys
• selectionofXMLEncryptionkeys
Metadataexchangemechanismsandestablishmentoftrustinmetadataarelefttodeploymentstospecify.
3.2.2 Metadata Production
[OIO-MD-02]DeploymentsMUSThavetheabilitytoprovideSAMLmetadatacapturingtheirrequirementsandcharacteristicsintheareasidentifiedaboveinase-curefashion.MetadataSHOULDNOTincludecontentindicatingsupportforprofilesorfea-turesbeyondtheboundsofthisprofile.
3.2.2.1 Keys and Certificates [OIO-MD-03]
PublickeysusedforsigningandencryptionMUSTbeexpressedviaX.509certificatesincludedinmetadatavia<md:KeyDescriptor>elements.ThecertificatesMUSTbeFOCESorVOCEScertificates(issuedundertheOCES2orOCES3certificatepolicies)2orqualifiedcertificates(accordingtotheeIDASregulation)issuedtoalegalperson.CertificatesMUSTNOTbeex-piredorrevoked.
2 https://www.nemid.nu/dk-da/om-nemid/historien_om_nemid/oces-standarden/oces-certifikatpolitikker/
![Page 11: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/11.jpg)
- 11 af 37 -
[OIO-MD-04]RSApublickeysMUSTbeatleast2048bitsinlength.Atleast3072bitsisRECOMMENDEDfornewdeployments.
[OIO-MD-05]ECpublickeysMUSTbeatleast256bitsinlength.
[OIO-MD-06]Byvirtueoftheprofile’soverallrequirements,anIdP’smetadataMUSTin-cludeatleastonesigningcertificate(thatis,an<md:KeyDescriptor>withnouseattributeoronesettosigning),andanSP’smetadataMUSTincludeatleastonesigningcertificateandoneencryptioncertificate(thatis,an<md:KeyDescriptor>withnouseattributeoronesettoencryp-tion).
3.3 CryptographicAlgorithms[OIO-ALG-01]
DeploymentsMUSTsupport,anduse,thefollowingalgorithmswhencom-municatingwithpeersinthecontextofthisprofile.Wheremultiplechoicesexist,anyofthelistedoptionsmaybeused.Theprofilewillbeupdatedasnecessarytoreflectchangesingovernmentandindustryrecommendationsregardingalgorithmusage.
• Digest
o http://www.w3.org/2001/04/xmlenc#sha256[XMLEnc]
• Signatureo http://www.w3.org/2001/04/xmldsig-more#rsa-
sha256[RFC4051]o http://www.w3.org/2001/04/xmldsig-more#ecdsa-
sha256[RFC4051]
• BlockEncryption
o http://www.w3.org/2001/04/xmlenc#aes128-cbc [XMLEnc]
o http://www.w3.org/2001/04/xmlenc#aes256-cbc [XMLEnc]
• KeyTransporto http://www.w3.org/2001/04/xmlenc#rsa-oaep-
mgf1p[XMLEnc]
o http://www.w3.org/2009/xmlenc11#rsa-oaep[XMLEnc]
![Page 12: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/12.jpg)
- 12 af 37 -
The following Block Encryption algorithms SHOULD be supported:
o http://www.w3.org/2009/xmlenc11#aes128-gcm[XMLEnc]
o http://www.w3.org/2009/xmlenc11#aes192-gcm[XMLEnc]
o http://www.w3.org/2009/xmlenc11#aes256-gcm[XMLEnc]
Note: The ‘GCM’ variants are more secure than the ‘CBC’ variants, which are allowed for backwards compatibility. The CBC variants may be deprecated in a future version of the profile.
![Page 13: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/13.jpg)
- 13 af 37 -
4 SPRequirementsNote:inthisprofile,theSPshouldbeunderstoodasthecentralbrokerwhorequestsauthenticationfromthelocalIdentityProvider.
4.1 WebBrowserSSO[OIO-SP-01]
SPsMUSTsupporttheBrowserSSOProfile[SAML2Prof],asupdatedbytheApprovedErrata[SAML2Err],withbehavior,capabilities,andoptionscon-sistentwiththeadditionalconstraintsspecifiedinthissection.
4.1.1 Requests
4.1.1.1 Binding [OIO-SP-02]
TheHTTP-Redirectbinding[SAML2Bind]withdeflateencodingMUSTbeusedforthetransmissionof<samlp:AuthnRequest>messages.
[OIO-SP-03]RequestsMUSTNOTbeissuedinsideanHTMLframeorviaanymechanismthatwouldrequiretheuseofthird-partycookiesbytheIdPtoestablishorre-coverasessionwiththeUserAgent.Thiswilltypicallyimplythatrequestswillinvolveafull-frameredirect,inorderthatthetop-levelwindoworiginbeassociatedwiththeIdP.
4.1.1.2 Request Content [OIO-SP-04]
The<samlp:AuthnRequest>messageSHOULDomitthe<samlp:NameIDPolicy>element.
[OIO-SP-05]
ThemessageSHOULDcontainanAssertionConsumerServiceURLat-tributeandMUSTNOTcontainanAssertionConsumerServiceIndexat-tribute(i.e.,thedesiredendpointMUSTbethedefault,oridentifiedviatheAssertionConsumerServiceURLattribute).
TheAssertionConsumerServiceURLvalue,ifpresent,MUSTmatchanendpointlocationexpressedintheSP’smetadataexactly,withoutrequiringURLcanonicalization/normalization.
Asanexample,theSPcannotspecifyURLsthatincludeaportnumber(e.g.,https://sp.example.com:443/acs)initsrequestsunlessitalsoincludesthatportnumberintheURLsspecifiedinitsmetadata,andviceversa.
![Page 14: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/14.jpg)
- 14 af 37 -
4.1.1.3 Authentication Contexts [OIO-SP-06]
Thefollowing<saml:AuthnContextClassRef>valuesMAYbeusedtorequestthedesired[NSIS]assurancelevel,andifpresent,MUSTbeusedwiththe Comparison attributesetto minimum:https://data.gov.dk/concept/core/nsis/loa/Low https://data.gov.dk/concept/core/nsis/loa/Substantial https://data.gov.dk/concept/core/nsis/loa/High Notetheimplicithierarchybetweentheselevels.Notealsothatuseoftheabove[NSIS]identifiersforLoA(LevelofAssurance)requiresthattheimplementationadherestoNSISrequirementsforthegivenlevelandhasbeennotifiedtotheDanishAgencyforDigitisation.
Example:
<saml2p:RequestedAuthnContext Comparison="minimum"> <saml2:AuthnContextClassRef xmlns:saml2="urn:oa-sis:names:tc:SAML:2.0:assertion"> https://data.gov.dk/concept/core/nsis/loa/Substantial </saml2:AuthnContextClassRef> </saml2p:RequestedAuthnContext> NotethatiftheSP(i.e.identitybroker)hasout-of-bandknowledgethattheIdPimplementation(e.g.MicrosoftADFS)doesnotsupporttheaboveau-thenticationcontextclassreferences,itcanbeomitted,andtheinformationprovidedbyaRelayStateparameterorsomeothermechanismsupportedbytheIdP.WhenusingRelayStateforrequestingaspecificLoA,thefollowingJSONsyn-taxSHOULDbeused:{ "NSISLevelOfAssurance": "https://data.gov.dk/concept/core/nsis/loa/Substantial" }
TheJSONstructureSHOULDbeconvertedtoUTF8bytesandsubsequentlyBase64-encoded,andtheresultusedasthevalueoftheRelayState.Notealso,thatRelayStatemaybeusedforotherpurposes(see[OIO-SP-07]).Inthiscase,thecombinedJSONstructureisBase64encoded.
![Page 15: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/15.jpg)
- 15 af 37 -
[OIO-SP-07]Thefollowing<saml:AuthnContextClassRef>valuesMAYbeusedtorequestthedesiredattributeprofile(seechapter6forattributeprofiles):https://data.gov.dk/eid/Person https://data.gov.dk/eid/Professional
NotethatiftheSP(i.e.identitybroker)hasout-of-bandknowledgethattheIdPdoesnotsupportthiselement,itcanbeomitted,andtheinformationpro-videdbyaRelayStateparameterorsomeothermechanismsupportedbytheIdP.WhenusingRelayStateforrequestingaspecificLoA,thefollowingJSONsyn-taxSHOULDbeused:{ "IdentityType": "https://data.gov.dk/eid/Professional" } TheJSONstructureSHOULDbeconvertedtoUTF8bytesandsubsequentlyBase64-encoded,andtheresultusedasthevalueoftheRelayState.Notealso,thatRelayStatemaybeusedforotherpurposes(see[OIO-SP-06]).
Note:thecomparisonattributementionedabovein[OIO-SP-06]doesnotapplytotheattributeprofilebutonlytheassurancelevel.
4.1.1.4 Signed Requests [OIO-SP-08]
RequestsMUSTbesignedbytheSPusingaprivatekeydefinedintheirmetadata.
Note:SinceHTTPRedirectbindingwithDEFLATEencodingisused,thesignatureislo-catedinthe“Signature”querystringdescribedbythisbindinginsteadofintherequestXMLmessage.
4.1.1.5 Proxy IdPs [OIO-SP-09]
IftheSPisinfactaproxyIdPactingonbehalfofanotherSP,theservicepro-viderSHOULDincludea<Scoping>elementinthe<AuthnRequest>con-taininga<RequesterID> elementstatingtheServiceProviderIdentityuniquely.TheRequesterIDMUSTuniquelyidentifytherealserviceprovider.
Example:<samlp:Scoping> <samlp:RequesterID>https://saml.sundhed.dk </samlp:RequesterID> </samlp:Scoping>
![Page 16: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/16.jpg)
- 16 af 37 -
NotethatiftheSP(i.e.identitybroker)hasout-of-bandknowledgethattheIdPdoesnotsupportthiselement,itcanbeomitted,andtheinformationpro-videdbyaRelayStateparameterorsomeothermechanismsupportedbytheIdP.WhenusingtheRelayStatealternative,thefollowingJSONsyntaxSHOULDbeused:{ "RequesterID": "https://saml.sundhed.dk" } SeealsoRelayStateusagein[OIO-SP-06]and[OIO-SP-07].
4.1.2 Responses
4.1.2.1 Binding [OIO-SP-10]
SPsMUSTsupporttheHTTP-POSTbindingforthereceiptof<samlp:Re-sponse>messages.SupportforotherbindingsisOPTIONAL.
[OIO-SP-11]Theendpoint(s)atwhichanSPsupportsreceiptof<samlp:Re-sponse>messagesMUSTbeprotectedbyTLS1.2orhigher.
4.1.2.2 XML Encryption [OIO-SP-12]
SPsMUSTsupportdecryptionof<saml:EncryptedAssertion>elements.SupportforotherencryptedconstructsisOPTIONAL.
4.1.2.3 Error Handling [OIO-SP-13]
SPsMUSTgracefullyhandleerrorresponsescontaining<samlp:Status-Code>otherthanurn:oasis:names:tc:SAML:2.0:status:Success.
[OIO-SP-14]TheresponsetosucherrorsMUSTdirectuserstoappropriatesupportre-sourcesofferedbytheSP.
4.1.2.4 Forced Re-Authentication [OIO-SP-15]
SPsthatincludeaForceAuthnattributeoftrueintheirrequestsSHOULDtestthecurrencyoftheAuthnInstant elementinthereceivedassertions
![Page 17: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/17.jpg)
- 17 af 37 -
toverifythecurrencyoftheauthenticationevent.
4.1.3 LoA check [OIO-SP-16]
WhenconsumingSAMLAssertions,SPsMUSTcheckthespecified[NSIS]levelofassuranceregardlessofanyLoAwassetintherequest.Seesection6.2.4wheretheattributeisdefined.
Note:SPsarenotguaranteedthattheIdPcanorwillhonortherequestedassurancelevelsetinthe<AuthnRequest>.
4.1.4 Discovery [OIO-SP-17]
SPsSHOULDsupporttheIdentityProviderDiscoveryProfiledescribedin[SAML2Prof]whichenablesaServiceProvidertodiscoverwhichIdentityProvidersaprincipalisusingwiththewebbrowserSSOprofile.
Note: The profile relies on a cookie that is written in a domain common between Iden-tity Providers and Service Providers in a deployment. The cookie contains a list of Iden-tity Provider identifiers and the most recently used IdP should be at the end of the list.
4.2 SingleLogout[OIO-SP-18]
SPsMUSTsupporttheSingleLogoutProfile[SAML2Prof],asupdatedbytheApprovedErrata[SAML2Err].Thefollowingrequirementsapplyinthecaseofsuchsupport.
4.2.1 Requests
4.2.1.1 Binding [OIO-SP-19]
TheHTTP-Redirectbinding[SAML2Bind]MUSTbeusedforthetransmissionof(theinitial)<samlp:LogoutRequest>messagestotheIdP.
[OIO-SP-20]
SPsMUSTsupporttheHTTP-RedirectorHTTP-POST[SAML2Bind]bindingforthereceiptof<samlp:LogoutRequest>messagesfromtheIdP,andMAYsupportSOAPbinding.
[OIO-SP-21]RequestsMUSTNOTbeissuedinsideanHTMLframeorviaanymechanismthatwouldrequiretheuseofthird-partycookiesbytheIdPtoestablishorre-coverasessionwiththeUserAgent.Thiswilltypicallyimplythatrequests
![Page 18: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/18.jpg)
- 18 af 37 -
mustinvolveafull-frameredirect,inorderthatthetoplevelwindoworiginbeassociatedwiththeIdP.
Note:Thefull-framerequirementisalsonecessarytoensurethatfullcontroloftheuserinterfaceisreleasedtotheIdP.
4.2.1.2 Request Content [OIO-SP-22]
LogoutRequestsMUSTbesigned.
[OIO-SP-23]
The<saml:NameID>elementincludedin<samlp:LogoutRequest>mes-sagesMUSTexactlymatchthecorrespondingelementreceivedfromtheIdP,includingitselementcontentandallXMLattributesincludedtherein.
[OIO-SP-24]The<saml:NameID>elementin<samlp:LogoutRequest>messagesMUSTNOTbeencrypted3.
4.2.2 Responses
4.2.2.1 Binding [OIO-SP-25]
TheHTTP-Redirect,HTTP-POSTorSOAPbinding[SAML2Bind]MUSTbeusedforthetransmissionof<samlp:LogoutResponse>messagestotheIdP.
[OIO-SP-26]SPsMUSTsupporttheHTTP-RedirectorHTTP-POSTbinding[SAML2Bind]bindingforthereceiptof<samlp:LogoutResponse>mes-sagesfromtheIdP(totheinitialrequest).
4.2.2.2 Response Content [OIO-SP-27]
ResponsesMUSTbesigned.
4.2.3 Behavioral Requirements
[OIO-SP-28]SPsMUSTterminateanylocalsessionbeforeissuinga<samlp:LogoutRe-quest>messagetotheIdP.
3 Due to interoperability concerns.
![Page 19: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/19.jpg)
- 19 af 37 -
Note:Thisensuresthesafestpossibleresultforsubjectsintheeventthatlogoutfailsforsomereason.
[OIO-SP-29]SPsMUSTNOTissuea<samlp:LogoutRequest>messageastheresultofanidleactivitytimeout.
Note:Timeoutofasingleapplication/servicemustnottriggerlogoutofanSSOsessionbecausethisimposesasingleservice’srequirementsonanentireIdPdeployment.Ap-plicationswithsensitivityrequirementsshouldconsiderothermechanisms,suchastheForceAuthnattribute,toachievetheirgoals.
4.2.4 Logout and Virtual Hosting
[OIO-SP-30]AnSPthatmaintainsdistinctsessionsacrossmultiplevirtualhostsSHOULDidentifyitselfbymeansofadistinctentityID(withassociatedmetadata)foreachvirtualhost.
Note:Asingleentitycanhaveonlyonewell-defined<SingleLogoutService>end-pointperbinding.Cookiesaretypicallyhost-basedandlogoutcannottypicallybeim-plementedeasilyacrossvirtualhosts.UnlikeduringSSO,a<samlp:LogoutRe-quest>messagecannotspecifyaparticularresponseendpoint,sothisscenarioisgen-erallynotviable.
4.3 MetadataandTrustManagement
4.3.1 Support for Multiple Keys
Theabilitytoperformseamlesskeymigrationdependsuponpropersupportforconsumingand/orleveragingmultiplekeysatthesametime.
[OIO-SP-31]
SPdeploymentsSHOULDsupportmultiplesigningcertificatesinIdPmetadataandMUSTsupportvalidationofXMLsignaturesusingakeyfromanyofthem.
[OIO-SP-32]SPdeploymentsSHOULDbeabletosupportmultipledecryptionkeysandMUSTbeabletodecrypt<saml:EncryptedAssertion>elementsen-cryptedwithanyconfiguredkey.
4.3.2 Metadata Content [OIO-SP-33]
Byvirtueofthisprofile’srequirements,anSP’smetadataMUSTcontain:
![Page 20: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/20.jpg)
- 20 af 37 -
• an<md:SPSSODescriptor>roleelement
o atleastone<md:AssertionConsumerService>endpointelement
o atleastone<md:KeyDescriptor>elementwhoseuseattributeissettoencryption
o atleastone<md:KeyDescriptor>elementwhoseuseattributeissettosigning
o exactlyone<md:NameIDFormat> elementwithintheir<md:SPSSODescriptor> elementcontaining
§ urn:oasis:names:tc:SAML:2.0:nameid-format:persistent indicatingapersistent(SP-specific)identifier
o atleastone<md:SingleLogoutService>endpointelement
Inaddition,anSP’smetadataSHOULDcontain:
• an<md:ContactPerson>elementwithacontactTypeoftechnicalandan<md:EmailAddress>element
![Page 21: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/21.jpg)
- 21 af 37 -
5 IdPRequirements5.1 WebBrowserSSO[OIO-IDP-01]
IdPsMUSTsupporttheWebBrowserSSOProfile[SAML2Prof],asupdatedbytheApprovedErrata[SAML2Err],withbehavior,capabilities,andoptionsconsistentwiththeadditionalconstraintsspecifiedinthissection.
5.1.1 Requests
5.1.1.1 Binding [OIO-IDP-02]
IdPsMUSTsupporttheHTTP-Redirectbinding [SAML2Bind] forthereceiptof <samlp:AuthnRequest> messages.
[OIO-IDP-03]
AllIdPendpoints(includingatwhichanIdPsupportsreceiptof<samlp:AuthnRequest>messages)MUSTbeprotectedbyTLS1.2orhigher.
5.1.1.2 Endpoint Verification [OIO-IDP-04]
IdPsMUSTverifytheAssertionConsumerServiceURLsuppliedinanSP’s<samlp:AuthnRequest>(ifany)againstthe<md:AssertionCon-sumerService>elementsintheSP’smetadata.Intheabsenceofsuchavalue,thedefaultendpointfromtheSP’smetadataMUSTbeusedforthere-sponse.WhenverifyingtheAssertionConsumerServiceURL,itisRECOMMENDEDthattheIdPperformacase-sensitivestringcomparisonbe-tweentherequestedvalueandthevaluesfoundintheSP’smetadata.ItisOPTIONALtoapplyanyformofURLcanonicalization.
5.1.1.3 Signing [OIO-IDP-05]
IdPsMUSTverifytherequestsignatureaccordingtoacertificatefoundinSPmetadataorfailtherequest.
[OIO-IDP-06]
IdPsMUSTrejectunsignedrequests.
5.1.1.4 Forced Re-Authentication [OIO-IDP-07]
![Page 22: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/22.jpg)
- 22 af 37 -
IdPsMUSTensurethatanyresponsetoa<samlp:AuthnRequest>thatcontainstheattributeForceAuthnsettotrueor1resultsinanauthentica-tionchallengethatrequiresproofthatthesubjectispresent.Ifthisconditionismet,theIdPMUSTalsoreflectthisbysettingthevalueoftheAuthnIn-stantvalueintheassertionitreturnstoafreshvalue.IfanIdPcannotprovesubjectpresence,thenitMUSTfailtherequestandSHOULDrespondtotheSPwithaSAMLerrorstatus.
5.1.1.5 Passive Authentication [OIO-IDP-08]
IdPsMUSTunderstandandrespecttheIsPassive attributeonrequests.IftheIsPassive attributeissetandcontroloftheuserinterfaceisneededtocompleteanauthentication,thefollowingstatuscodeMUSTbereturnedurn:oasis:names:tc:SAML:2.0:status:NoPassive.
Note:TheNoPassiveerrorcanoccuriftheIdPdoesnothaveasessionwiththeuser,iftheIdPhasasessionbutatalowerLoAthanrequestedbytheSP,oriftheIdPpolicyrequiresactiveuserconsentpriortoattributerelease.
5.1.2 Responses
5.1.2.1 Binding [OIO-IDP-09]
IdPsMUSTsupporttheHTTP-POSTbinding[SAML2Bind]forthetransmis-sionof<samlp:Response>messages.
5.1.2.2 Response Content [OIO-IDP-10]
SuccessfulresponsesSHOULDNOTbedirectlysigned.
Note:Instead,Assertionsaresigned(seebelow).
[OIO-IDP-11]
SuccessfulresponsesMUSTcontainexactlyoneSAML<saml:Assertion>,andtheassertionMUSTcontainexactlyone<saml:AuthnState-ment>sub-elementandexactlyone<saml:AttributeStatement>sub-element.The<saml:AttributeStatement>sub-elementMUSTconformtooneoftheattributeprofilesfornaturalpersonsorprofessionalsasde-scribedinchapter6includingallmandatoryattributes.AllotherstatementsMUSTNOTbeused.
[OIO-IDP-12]
![Page 23: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/23.jpg)
- 23 af 37 -
The<saml:Assertion>withintheresponseMUSTbedirectlysignedbytheIdP.
[OIO-IDP-13]AssertionstransferredviatheuseragentMUSTbeencryptedandtransmit-tedviaa<saml:EncryptedAssertion>element.InformationintendedfortheconsumptionoftheSPMUSTNOTbefurtherencryptedvia<saml:EncryptedID>or<saml:EncryptedAttribute>constructs.
5.1.3 Issuer
[OIO-IDP-14]
AssertionsMUSTcontainan<Issuer>elementuniquelyidentifyingtheIdP.TheFormatattributeMUSTbeomittedorhaveavalueof
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
Seealsosection3.1.3onEntityIDs.
5.1.4 Subject Identifiers
[OIO-IDP-15]
AssertionsMUSTcontainone<saml:Subject>elementwitha<saml:NameID>elementwhichuniquelyrepresentstheSubjectwithinthecontextoftheorganization(asrepresentedbytheCVRnumberattrib-ute).TheidentifierSHOULDbeuniqueovertime.
AllSAMLNameIDFormattypesexcludingurn:oasis:names:tc:SAML:2.0:nameid-format:encryptedMAYbeused.
[OIO-IDP-16]The<saml:NameID> identifier MUSTbegeneratedasanpersistentortran-sientidentifierbytheIdPaccordingtopreferencesspecifiedinSPmetadata(seesection4.3.2).
5.1.5 Subject Confirmation [OIO-IDP-17]
TheSubjectelementMUSTcontainatleastone<SubjectConfirmation> elementspecifyingaconformationmethodofurn:oasis:names:tc:SAML:2.0:cm:bearer.
![Page 24: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/24.jpg)
- 24 af 37 -
Thebearer<SubjectConfirmation> elementdescribedaboveMUSTcontaina<SubjectConfirmationData> elementthathasaRecipientat-tributecontainingtheServiceProvider'sassertionconsumerserviceURLandaNotOnOrAfterattributethatlimitsthewindowduringwhichtheassertioncanbedelivered.ItMAYcontainaNotBeforeattributebutthereceiverisnotrequiredtoprocessit.
5.1.6 Audience Restriction
[OIO-IDP-18]TheassertionMUSTcontainan<AudienceRestriction> includingtheServiceProvider'suniqueidentifierasan<Audience>.
5.1.7 Discovery via common domain [OIO-IDP-19]
IdPsSHOULDsupporttheIdentityProviderDiscoveryProfiledescribedin[SAMLProf]whichenablesaServiceProvidertodiscoverwhichIdentityPro-vidersaprincipalisusingwiththewebbrowserSSOprofile.
AcookieSHOULDbewritteninadomaincommonbetweenIdentityProvid-ersandServiceProvidersinadeployment.ThecookiecontainsalistofIden-tityProvideridentifiersandthemostrecentlyusedIdPSHOULDbeattheendofthelist.
![Page 25: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/25.jpg)
- 25 af 37 -
5.2 SingleLogout[OIO-IDP-20]
IdPsMUSTsupporttheSingleLogoutProfile[SAML2Prof],asupdatedbytheApprovedErrata[SAML2Err],withbehavior,capabilities,andoptionscon-sistentwiththeadditionalconstraintsspecifiedinthissection.
Theterm"IdPsession"isusedtorefertotheongoingstatebetweentheIdPanditscli-entsallowingforSSO.Supportforlogoutimpliessupportingterminationofasubject’sIdPsessioninresponsetoreceivinga<samlp:LogoutRequest>oruponsomead-ministrativesignal.
Notethatthisonlyinvolveseliminatingthebrowsersessionanddoesnotextendtoanunderlyingsessionwithalocaldomain(e.g.Kerberos).
[OIO-IDP-21]IdPsMUSTsupportthepropagationoflogoutsignalingtoSPsusingHTTP-RedirectandHTTP-POSTBinding[SAML2Bind].ThebindingselectedforaspecificSPshouldbebasedontheSPcapabilitiesasdefinedinitsmetadata.
5.2.1 Requests
5.2.1.1 Binding [OIO-IDP-22]
IdPsMUSTsupporttheHTTP-Redirect[SAML2Bind]bindingforthereceiptof(theinitial)<samlp:LogoutRequest>message.
Note that SOAP binding is not allowed for the initial message, since the IdP would not be able to propagate the request to SPs only supporting front-channel bindings.
5.2.2 Request Content [OIO-IDP-23]
LogoutRequestsMUSTbesigned.
[OIO-IDP-24]The<saml:NameID>elementin<samlp:LogoutRequest>messagesMUSTNOTbeencrypted4.
5.2.3 Responses
5.2.3.1 Binding [OIO-IDP-25]
4 Due to interoperability concerns.
![Page 26: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/26.jpg)
- 26 af 37 -
TheIdPSHOULDrespondtorequestsusingthesamebindingusedinthere-questfromtheinitiatingSP.
5.2.3.2 Response Content [OIO-IDP-26]
LogoutResponsesMUSTbesigned(withamechanismaccordingtothese-lectedBinding).
[OIO-IDP-27]The<samlp:StatusCode>intheresponseissuedbytheIdPMUSTreflectwhethertheIdPsessionwassuccessfullyterminated.
5.3 AttributeQueryThischapterspecifiesanattributeserviceprofileforqueryingattributesfromanAt-tributeService(oftenpartofanIdentityProvider).ItisusedinscenarioswhereaServiceProvideraftertheinitialauthenticationoftheuserneedsfurtherinfor-matione.g.inordertograntaccesstoaresourceorpersonalizeanapplication.Theattributequeryprofilecanfurtherenhanceend-userprivacyinscenarioswhereanSPinitiallyonlyneedsafewattributesduringauthenticationandthenlaterqueriesformoreattributesiftheneedemerges(insteadofgettingallattributesthatarepo-tentiallyrequiredupfront).
[OIO-IDP-28]AnIdPSHOULDofferallitsattributestoauthorizedServiceProvidersviaaSAML<AttributeQuery>interface.
[OIO-IDP-29]
TheSAMLSOAPBindingSHOULDbeusedfortheinterfaceandtheendpointMUSTbeprotectedbyTLS1.2orhigher.
5.3.1 Request Message [OIO-IDP-30]
TherequestmessageMUSTcontainaConsentattributeandan<Issuer> elementmatchingaregisteredSP.TheIdPSHOULDdefineapolicysettingSPobligationsregardingcollectionofend-userconsentorotherlegalbasisforrequestingattributes.
[OIO-IDP-31]TherequestmessageMUSTuniquelyidentifytheSubjectusinganidentifierspecifiedbytheAttributeServiceProvider.
![Page 27: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/27.jpg)
- 27 af 37 -
[OIO-IDP-32]TheAttributeServiceMUSTverifythattherequestmessageissignedbytheSPwithakeycorrespondingtoacertificatefoundinSPmetadata.
5.3.2 Response Message
[OIO-IDP-33]AsuccessfulresponseMUSTbeintheformofanAssertioncontainingexactlyoneattributestatement.NamingandencodingofattributesMUSTbethesameasspecifiedforWebSSO,seechapter6fordetails.
[OIO-IDP-34]
AsuccessfulresponseMUSTcontainan<Issuer>element.
[OIO-IDP-35]AsuccessfulresponseMUSTNOTcontainan<AuthnStatement>elementor<AuthzDecisionStatement>.
[OIO-IDP-36]TheAssertionintheresponseMUSTbesignedbytheIdPwithakeycorre-spondingtoacertificatefoundinIdPmetadata.
5.3.3 Error handling [OIO-IDP-37]
IftheIdPcannotidentifytheSubjectstatedintherequest,itMUSTreturnanerrorresponsewithasecond-levelstatuscodesettourn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal
[OIO-IDP-38]
Thetop-levelerrorcodeSHOULDbesetto“Success”ifanyoftherequestedattributescanbereturned;otherwiseitSHOULDbesettourn:oasis:names:tc:SAML:2.0:status:Requester.
Ifattributesareunknown,anestedstatuscodeelementSHOULDbein-cludedspecifyingastatuscodeofurn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue
Asequenceof<StatusDetail>elementsSHOULDfurtherbeincluded,oneperunknownattribute,specifyingthenameoftheunknownattributetotherequester.
[OIO-IDP-39]If AttributesarerequestedwhichtheAttributeServicedoesnotwanttodis-closetotherequestoraccordingtoitsattributereleasepolicy,theAttributeServiceSHOULDreturnasecond-levelstatuscodebeing:
![Page 28: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/28.jpg)
- 28 af 37 -
urn:oasis:names:tc:SAML:2.0:status:RequestDeniedfollowedbyasequence<StatusDetail> elementsdescribingthereasonfornotdisclosingtheattribute.
5.4 MetadataandTrustManagement
5.4.1 Support for Multiple Keys
Theabilitytoperformseamlesskeymigrationdependsuponpropersupportforconsumingand/orleveragingmultiplekeysatthesametime.
[OIO-IDP-40]IdPdeploymentsMUSTsupportmultiplesigningandencryptioncertificatesinSPmetadataandMUSTsupportvalidationofsignaturesusingakeyfromanyofthem.
5.4.2 Metadata Content
[OIO-IDP-41]Byvirtueofthisprofile’srequirements,anIdP’smetadataMUSTcontain:
• an<md:IDPSSODescriptor>roleelement
o atleastone<md:SingleSignOnService>endpointelement
o atleastone<md:SingleLogoutService>endpointelement
o atleastone <md:KeyDescriptor> elementwhoseuseattributeissettosigning and
o atleastone <md:KeyDescriptor> elementwhoseuseattributeissetto encryption
Inaddition,anIdP’smetadataMUSTcontain:
• an<md:ContactPerson>elementwithacontactTypeoftech-nicalandan<md:EmailAddress>element
[OIO-IDP-42]
IfanIdPoffersanAttributeQueryinterfaceitSHOULDdeclaretheofferedattributesinmetadataviaan<AttributeAuthorityDescriptor> el-ement.
![Page 29: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/29.jpg)
- 29 af 37 -
6 AttributeprofilesThislocalIdPprofileonlydealswithidentitiesrepresentingprofessionalpersonsandtheirattributes.LocalIdP’sarenotallowedtoauthenticatenaturalpersons.
6.1 Generalrequirements[OIO-AP-01]
IfanattributeismarkedasMandatoryinthetablesbelow,itMUSTbepre-sentinallAssertions.Identity Providers MAY include additional attributes (e.g. sector-specific attributes).
Only a small subset of the (non-identifying) attributes are Mandatory in order to comply with the data minimization principle.
[OIO-AP-02]
TheactualsetofattributesinanAssertionSHOULDonlycontainattributesneededbytheSPasspecifiedintheSPmetadata.AnIdPMAYdefinepoliciesthatrestrictwhichattributesSPscangetanditMAYasktheend-userforcon-sentandusethisforlimitingthereleasedattributeset.
[OIO-AP-03]<saml:Attribute>elementsMUSTcontainaNameFormatofurn:oasis:names:tc:SAML:2.0:attrname-format:uri.
Thisrequirementensuresunique,non-conflictingnamingofAttributesevenincasesin-volvingcustomrequirementsforwhichnostandardAttributesmayexist.
[OIO-AP-04]AllattributevaluesSHOULDifpossiblebesimpletextstringswithtypexs:string. ItisRECOMMENDEDthatthecontentofeach<saml:AttributeValue> elementbelimitedtoasinglechildtextnode(i.e.asimplestringvalue)andthatmultiplevaluesofan<saml:Attribute>beexpressedasindividual<saml:AttributeValue>elementsratherthanembeddedinadelimitedformwithinasingleelement.
Notethatthisrefersto<saml:AttributeValue>elements,not<saml:Attrib-ute>elements,andreferstotheformofeachindividualvalue.ItdiscouragestheuseofcomplexXMLcontentmodelswithinthevalueofanAttribute.Forthisreason,theOIOBasicPrivilegeProfilebase64encodescomplexattributevalues.
![Page 30: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/30.jpg)
- 30 af 37 -
6.2 CommonattributesThissectionspecifiescommonattributessharedbysubsequentattributeprofiles.Note:onlythe‘professional’profilefromOIOSAML3.0issupportedinthisprofile,butthestructureiskeptforeasycomparison.
6.2.1 SpecVer attribute ID https://data.gov.dk/model/core/specVersion
Description Specifies the version of the OIOSAML profile specification - the cur-rent version is shown in example below.
Mandatory Yes
Example <AttributeValue>OIO-SAML-3.0</AttributeValue>
6.2.2 BootstrapToken attribute (N/A)
6.2.3 Privilege attribute ID https://data.gov.dk/model/core/eid/privilegesIntermediate
Description Contains a base64-encoded value describing privileges assigned to the identity (see OIO Basic Privilege Profile specification [OIOBPP] for details).
Mandatory No
Example <AttributeValue>AK24bWw...</AttributeValue>
Further profiling of the privilege attribute is left to specific deployments.
6.2.4 Level of Assurance attribute ID https://data.gov.dk/concept/core/nsis/loa
Description Contains the overall level of assurance of the authentication as de-fined by the Danish [NSIS] standard. The allowed values are ‘Low’, ‘Substantial’ and ‘High’.
Mandatory Yes
Example <AttributeValue>Substantial</AttributeValue>
6.2.5 Identity Assurance Level attribute ID https://data.gov.dk/concept/core/nsis/ial
Description Contains Identity Assurance Level (IAL) as defined by the Danish [NSIS] standard. The allowed values are ‘Low’, ‘Substantial’ and ‘High’.
Mandatory No
![Page 31: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/31.jpg)
- 31 af 37 -
Example <AttributeValue>Substantial</AttributeValue>
6.2.6 Authentication Assurance Level attribute ID https://data.gov.dk/concept/core/nsis/aal
Description Contains Authenticator Assurance Level (AAL) as defined by the Danish [NSIS] standard. The allowed values are ‘Low’, ‘Substantial’ and ‘High’.
Mandatory No
Example <AttributeValue>High</AttributeValue>
6.2.7 Fullname attribute ID https://data.gov.dk/model/core/eid/fullName
Description Contains the full name.
Mandatory No
Example <AttributeValue>Knud Erik Jensen</AttributeValue>
6.2.8 Firstname attribute ID https://data.gov.dk/model/core/eid/firstName
Description Contains the first name(s) of the identity. In case the person has mul-tiple first names, one or more of these MUST be present. Middle-names are not allowed.
Mandatory No
Example <AttributeValue>Knud</AttributeValue>
6.2.9 Lastname attribute ID https://data.gov.dk/model/core/eid/lastName
Description Contains the last name of the identity.
Mandatory No
Example <AttributeValue>Jensen</AttributeValue>
6.2.10 Alias attribute ID https://data.gov.dk/model/core/eid/alias
![Page 32: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/32.jpg)
- 32 af 37 -
Description Contains an alias of the identity. This attribute can be used as a dis-play name selected by the user as an alternative to the above name at-tributes.
Mandatory No
Example <AttributeValue>Bubber</AttributeValue>
6.2.11 Email attribute ID https://data.gov.dk/model/core/eid/email
Description Contains the email address of the identity. In cases there are multiple addresses known this attribute can be multi-valued (i.e. using multiple <AttributeValue> elements).
Mandatory No
Example <AttributeValue>[email protected]</AttributeValue>
6.2.12 CPR attribute ID https://data.gov.dk/model/core/eid/cprNumber
Description Contains the Danish CPR number represented by 10 digits.
Mandatory No
Example <AttributeValue>2702681273</AttributeValue>
6.2.13 Age attribute ID https://data.gov.dk/model/core/eid/age
Description Contains the age represented by an integer.
Mandatory No
Example <AttributeValue>38</AttributeValue>
6.2.14 CPR UUID ID https://data.gov.dk/model/core/eid/cprUuid
Description Contains the central UUID for the person defined by the Danish Civil Registration Authority. This identifier is expected to replace the 10-digit CPR number.
Mandatory No
Example <AttributeValue>urn:uuid:323e4567-e89b-12d3-a456-426655440000</AttributeValue>
![Page 33: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/33.jpg)
- 33 af 37 -
6.3 NaturalPersonprofile(N/A)Natural person identities are not in scope within this profile.
6.3.1 PID attribute (N/A)
6.4 ProfessionalPersonprofileIdentities representing professionals are described using the common attributes and the be-low attributes:
6.4.1 Persistent Identifier attribute (N/A) ID https://data.gov.dk/model/core/eid/professional/uuid/persistent
Description Contains a UUID for the professional identity which is shared across all public sector SPs. The identifier is specific to the professional role and is not related to the associated natural person. The UUID MUST follow RFC 4122. This attribute is the successor to the RID attribute (see below) but is globally unique.
Mandatory No
Example <AttributeValue>urn:uuid:323e4567-e89b-12d3-a456-426655440000</AttributeValue>
6.4.2 RID number attribute (N/A) ID https://data.gov.dk/model/core/eid/ professional/rid
Description Contains the legacy RID number used in OCES infrastructure. Note: this attribute is deprecated and SPs MUST make plans for phasing out any dependencies on this.
Mandatory No
Example <AttributeValue>98023728</AttributeValue>
6.4.3 CVR number attribute Note that a local IdP MUST ONLY authenticate users from organizations which have ex-plicitly approved the IdP to authenticate their users.
ID https://data.gov.dk/model/core/eid/professional/cvr
Description Contains the CVR number (8 digits) of the organization related to the authentication context. Note that a professional may be associated with several organizations but only one organization is allowed per authentication context5.
5 I.e. the SAML Assertion only contains one relation to an organization used in the specific context.
![Page 34: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/34.jpg)
- 34 af 37 -
Mandatory Yes
Example <AttributeValue>20301823</AttributeValue>
6.4.4 Organization name attribute ID https://data.gov.dk/model/core/eid/professional/orgName
Description Contains the name of the organization related to the authentication context. Note that a professional may be associated with several or-ganizations but only one organization is allowed per authentication context.
Mandatory Yes
Example <AttributeValue>Digitaliseringsstyrelsen
</AttributeValue>
6.4.5 Production unit attribute ID https://data.gov.dk/model/core/eid/ professional/productionUnit
Description Contains the Production Unit identifier (10 digits) which the profes-sional is associated to within the organization related to the authenti-cation context.
Mandatory No
Example <AttributeValue>4234675432</AttributeValue>
6.4.6 SE Number attribute ID https://data.gov.dk/model/core/eid/professional/seNumber
Description Contains the SE number identifier (8 digits) which the professional is associated to within the organization related to the authentication context.
Mandatory No
Example <AttributeValue>42346754</AttributeValue>
6.4.7 Authorized to Represent A local IdP MUST NOT include this attribute in Assertions – and it MUST be rejected by the receiving SP (Identity Broker).
ID https://data.gov.dk/model/core/eid/professional/author-izedToRepresent
Description Contains the CVR number(s) of an organization, if the professional is allowed to fully represent the organization with respect to public sec-
![Page 35: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/35.jpg)
- 35 af 37 -
tor services. In other words, the professional has a strong legal bind-ing to the organizations6 – the type of binding will depend on type of organization. If more organizations can be fully represented the IdP MAY include multiple <AttributeValue> elements.
Mandatory No
Example <AttributeValue>10346754</AttributeValue>
6 This can e.g. be an authorized signatory (‘tegningsberettiget’) for a company (Danish ‘selskab’ such as IVS, ApS, A/S, P/S) or a fully responsible participant (‘fuldt ansvarlig deltager’) in other types of companies such as proprietorships.
![Page 36: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/36.jpg)
- 36 af 37 -
7 References
• [eIDAS]EUROPA-PARLAMENTETSOGRAs DETSFORORDNING(EU)Nr.910/2014af23.juli2014omelektroniskidentifikationogtillidstjenestertilbrugforelektronisketransaktionerpadetindremarkedogomophævelseafdirektiv1999/93/EF
• [REF-ARK]Fællesoffentligreferencearkitekturforbrugerstyring.https://arki-tektur.digst.dk/rammearkitektur/referencearkitekturer/referencearkitektur-brugerstyring
• [NSIS]NationalStandardforIdentitetersSikringsniveauerversion2.0.1.https://digst.dk/it-loesninger/nemlog-in/det-kommende-nemlog-in/vejlednin-ger-og-standarder/nsis-standarden/
• [OIOBPP]OIOBasicPrivilegeProfile.https://www.digitaliser.dk/re-source/2377872
• [OIOIDWS]OIOIdentityBasedWebServiceshttps://www.digitaliser.dk/re-source/3457606
• [RFC2119]IETFRFC2119,KeywordsforuseinRFCstoIndicateRequirementLevels,March1997.http://www.ietf.org/rfc/rfc2119.txt
• [RFC8174]IETFRFC8174,AmbiguityofUppercasevsLowercaseinRFC2119KeyWords,May2017.http://www.ietf.org/rfc/rfc8174.txt
• [RFC4051]IETFRFC4051,AdditionalXMLSecurityUniformResourceIdentifi-ers,April2005.https://www.ietf.org/rfc/rfc4051.txt
• [SAML2Core]OASISStandard,AssertionsandProtocolsfortheOASISSecurityAssertionMarkupLanguage(SAML)V2.0,March2005.http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
• [SAML2Bind]OASISStandard,BindingsfortheOASISSecurityAssertionMarkupLanguage(SAML)V2.0,March2005.http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
• [SAML2Int]SAMLV2.0DeploymentProfileforFederationInteroperability.Kan-taraInititive,https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
• [SAML2Prof]OASISStandard,ProfilesfortheOASISSecurityAssertionMarkupLanguage(SAML)V2.0,March2005.http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
• [SAML2Meta]OASISStandard,MetadatafortheOASISSecurityAssertionMarkupLanguage(SAML)V2.0,March2005.http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
• [X500SAMLattr]OASISCommitteeSpecification,SAMLV2.0X.500/LDAPAttrib-uteProfile,March2008.http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-x500-cs-01.pdf
![Page 37: OIOSAML Local IdP Profile 1.0 - digst.dk](https://reader031.vdocuments.mx/reader031/viewer/2022020701/61f7a61e20c2213aad7868cd/html5/thumbnails/37.jpg)
- 37 af 37 -
• [SAML2MDIOP]OASISCommitteeSpecification,SAMLV2.0MetadataInteroper-abilityProfileVersion1.0,August2009.http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop.pdf
• [IdPDisco]OASISCommitteeSpecification,IdentityProviderDiscoveryServiceProtocolandProfile,March2008.http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf
• [SAML2Err]OASISApprovedErrata,SAMLVersion2.0Errata05,May2012.http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.pdf
• [XMLEnc]D.Eastlakeetal.XMLEncryptionSyntaxandProcessing.W3CRecom-mendation,April2013.https://www.w3.org/TR/xmlenc-core1/
• [XMLSig]D.Eastlakeetal.XML-SignatureSyntaxandProcessing,Version1.1.W3CRecommendation,April2013.https://www.w3.org/TR/xmldsig-core1/
• [SAML2ASLO]OASISCommitteeSpecification,SAMLV2.0AsynchronousSingleLogoutProfileExtensionVersion1.0,November2012.http://docs.oasis-open.org/security/saml/Post2.0/saml-async-slo/v1.0/cs01/saml-async-slo-v1.0-cs01.pdf
• [MetaUI]OASISCommitteeSpecification,SAMLV2.0MetadataExtensionsforLoginandDiscoveryUserInterfaceVersion1.0,April2012.http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/cs01/sstc-saml-metadata-ui-v1.0-cs01.pdf
• [MetaAttr]OASISCommitteeSpecification,SAMLV2.0MetadataExtensionforEntityAttributesVersion1.0,August2009.http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr-cs-01.pdf