[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FYI: ICAM publishes SAML 2.0 Web Browser Single Sign-on (SSO) Profile
-- Federal Identity, Credential, and Access Management (ICAM) -- The Identity, Credential and Access Management Subcommittee, often referred to as ICAM is co-chaired by GSA and DoD and is tasked with aligning the Identity Management activities of government... http://www.idmanagement.gov/drilldown.cfm?action=icam ICAM now publishes: Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile Version 1.0. September 27, 2010. 35 pages. Edited by Terry McBride, Matt Tebo, John Bradley, Dave Silver http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf Executive Summary Security Assertion Markup Language (SAML) 2.0 Profile as described in this document has been adopted by Federal Identity, Credential, and Access Management (ICAM) for the purpose of Level of Assurance (LOA) 1, 2, and 3 identity authentication, as well as holder-of-key assertions for binding keys or other attributes to an identity at LOA 4. Proper use of this Profile ensures that implementations: (1) Meet Federal standards, regulations, and laws; (2) Minimize risk to the Federal government; (3) Maximize interoperability; (4) Provide end users (e.g., citizens) with a consistent context or user experience at a Federal Government site. This Profile is a deployment profile based on the OASIS SAML 2.0 specifications and the Liberty Alliance eGov Profile v.1.5. This Profile relies on the 'SAML 2.0 Web Browser SSO Profile' to facilitate end user authentication. This Profile does not alter these standards, but rather specifies deployment options and requirements to ensure technical interoperability with Federal government applications. Where this Profile does not explicitly provide guidance, the standards upon which this Profile is based take precedence. In addition, this Profile recognizes the Liberty Alliance eGov Profile conformance requirements, and to the extent possible reconciles them with other SAML 2.0 Profiles. The objective of this document is to define the ICAM SAML 2.0 Web Browser SSO Profile so that persons deploying, managing, or supporting an application based upon it can fully understand its use in ICAM transaction flows. In general, the SAML 2.0 protocol facilitates exchange of SAML messages (requests and/or responses) between endpoints. For this Profile, messages pertain primarily to the exchange of an identity assertion that includes authentication and attribute information. Message support for additional features is also available. In ICAM, the endpoints are typically the Relying Party (RP) and the Identity Provider (IdP). SAML 2.0 Profile defined herein includes the following features: single sign-on, session reset, and attribute exchange. In addition, this Profile defines two main SAML 2.0 use cases: the end user starting at the RP, and the end user starting at the IdP. Use case diagrams and sequence diagrams are provided to illustrate the use cases. Privacy, security, and end user activation are also discussed. Programmed trust (a mechanism to indicate to RPs which IdPs are approved for use within ICAM) is also discussed, and a high-level process flow diagram is provided to illustrate the concept. The Profile concludes with detailed technical guidance that scopes SAML 2.0 Web Browser SSO for ICAM purposes. Like most specifications, SAML 2.0 provides options. Where necessary, ICAM specifies or removes options in order to enhance security, privacy, and interoperability. The Technical Profile section addresses the authentication request and response, metadata, and transaction security. -- Robin Cover WWW: http://xml.coverpages.org Tel: +1 (972) 296-1783
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]