OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FYI: ICAM publishes SAML 2.0 Web Browser Single Sign-on (SSO) Profile

-- Federal Identity, Credential, and Access Management (ICAM) --
The Identity, Credential and Access Management Subcommittee,
often referred to as ICAM is co-chaired by GSA and DoD and
is tasked with aligning the Identity Management activities
of government...

ICAM now publishes:

Security Assertion Markup Language (SAML) 2.0 Web Browser Single
Sign-on (SSO) Profile
Version 1.0. September 27, 2010. 35 pages.
Edited by Terry McBride, Matt Tebo, John Bradley, Dave Silver

Executive Summary

Security Assertion Markup Language (SAML) 2.0 Profile as
described in this document has been adopted by Federal
Identity, Credential, and Access Management (ICAM) for
the purpose of Level of Assurance (LOA) 1, 2, and 3
identity authentication, as well as holder-of-key
assertions for binding keys or other attributes to an
identity at LOA 4.

Proper use of this Profile ensures that implementations:
(1) Meet Federal standards, regulations, and laws; (2)
Minimize risk to the Federal government; (3) Maximize
interoperability; (4) Provide end users (e.g., citizens)
with a consistent context or user experience at a Federal
Government site.

This Profile is a deployment profile based on the OASIS
SAML 2.0 specifications and the Liberty Alliance eGov
Profile v.1.5. This Profile relies on the 'SAML 2.0 Web
Browser SSO Profile' to facilitate end user authentication.
This Profile does not alter these standards, but rather
specifies deployment options and requirements to ensure
technical interoperability with Federal government
applications. Where this Profile does not explicitly
provide guidance, the standards upon which this Profile
is based take precedence. In addition, this Profile
recognizes the Liberty Alliance eGov Profile conformance
requirements, and to the extent possible reconciles them
with other SAML 2.0 Profiles.

The objective of this document is to define the ICAM SAML
2.0 Web Browser SSO Profile so that persons deploying,
managing, or supporting an application based upon it can
fully understand its use in ICAM transaction flows. In
general, the SAML 2.0 protocol facilitates exchange of SAML
messages (requests and/or responses) between endpoints. For
this Profile, messages pertain primarily to the exchange of
an identity assertion that includes authentication and
attribute information. Message support for additional
features is also available. In ICAM, the endpoints are
typically the Relying Party (RP) and the Identity Provider

SAML 2.0 Profile defined herein includes the following
features: single sign-on, session reset, and attribute
exchange. In addition, this Profile defines two main SAML 2.0
use cases: the end user starting at the RP, and the end user
starting at the IdP. Use case diagrams and sequence diagrams
are provided to illustrate the use cases. Privacy, security,
and end user activation are also discussed. Programmed trust
(a mechanism to indicate to RPs which IdPs are approved for
use within ICAM) is also discussed, and a high-level process
flow diagram is provided to illustrate the concept. The
Profile concludes with detailed technical guidance that
scopes SAML 2.0 Web Browser SSO for ICAM purposes. Like most
specifications, SAML 2.0 provides options. Where necessary,
ICAM specifies or removes options in order to enhance security,
privacy, and interoperability. The Technical Profile section
addresses the authentication request and response, metadata,
and transaction security.

Robin Cover
WWW:  http://xml.coverpages.org
Tel: +1 (972) 296-1783

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]