SAML 2.0 Requirements for Service Providers

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by RSA Information Design and Development on Oct 20, 2017
Version 6Show Document
  • View in full screen mode

The following tables outline the supported SAML 2.0 elements required for service providers using the Cloud Authentication Service as an IdP to manage authentication. Provide this information to your application administrators.

AuthnRequest

                                                                                                                                                                   

<AuthRequest> Attribute or Element

Status and Supported Values

ID

Required

Version

Required

Value: 2.0

IssueInstant

Required

Destination

Optional

Consent

Not supported.

Ignored.

ForceAuthn

Optional

Value: false

IsPassive

Optional

Value: false

AssertionConsumerServiceIndex

Not supported.

Do not include.

AssertionConsumerServiceURL

Optional

ProtocolBinding

Optional

 

Values:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

AttributeConsumingServiceIndex

Not supported.

Do not include.

ProviderName

Not supported.

Ignored.

<saml:Issuer>

Required

NameQualifier

Not supported.

Do not include.

SPNameQualifier

Not supported.

Do not include.

Format

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not supported.

Do not include.

<ds:Signature>

Optional

<samlp:Extensions>

Not supported.

Do not include.

<saml:Subject>

  • Required if the service provider manages primary authentication, and RSA SecurID Access manages additional authentication.
  • Optional if RSA SecurID Access manages all authentication.

<saml:NameID>

Required

NameQualifier

Not supported.

Do not include.

SPNameQualifier

Not supported.

Do not include.

Format

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not supported.

Do not include.

<saml:SubjectConfirmation>

Not supported.

Do not include.

<samlp:NameIDPolicy>

Optional

Format

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SPNameQualifier

Not supported.

Do not include.

AllowCreate

Not supported.

Do not include.

<saml:Conditions>

Optional

NotBefore

Optional

NotOnOrAfter

Optional

<saml:Condition>

Not supported.

Do not include.

<samlp:RequestedAuthnContext>

Optional

Comparison

Optional

Value: exact

<saml:AuthnContextClassRef>

Required

Values:

urn:oasis:names:tc:SAML:2.0:ac:classes:Password

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:<primary_auth>:<policy_name>

  • <primary_auth> values: May be omitted, primary, or stepup
  • <policy_name> values: The exact name (including case sensitivity) of the policy specified in the Cloud Administration Console.

Examples:

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:LowAssurancePolicy

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:HighAssurancePolicy

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:

urn:rsa:names:tc:SAML:2.0:ac:classes:spec::MediumAssurancePolicy

urn:rsa:names:tc:SAML:2.0:ac:classes:spec::

<samlp:Scoping>

Not supported.

Do not include.

Response

                                                                                       
<AuthRequest> Attribute or ElementStatus and Supported Values
IDProvided
InResponseToProvided
Version

Provided

Value: 2.0

IssueInstantProvided
DestinationProvided
ConsentNot provided
<saml:Issuer>Provided
NameQualifierNot provided
SPNameQualifierNot provided
Format

Provided

Value: urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedIDNot provided
<ds:Signature>Not provided
<samlp:Extensions>Not provided
<samlp:Status>Provided
<samlp:StatusCode>Provided
ValueProvided
<samlp:StatusMessage>May be provided
<samlp:StatusDetail> May be provided
<saml:Assertion>

May be provided

Value: See Assertion table.

Assertion

                                                                                                                                                               

<Assertion> Attribute or Element

Status and Supported Values

ID

Provided

Version

Provided

Value: 2.0

IssueInstant

Provided

<saml:Issuer>

Provided

NameQualifier

Not provided

SPNameQualifier

Not provided

Format

Provided

Value: urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not provided

<ds:Signature>

Provided

<saml:Subject>

Provided

<saml:NameID>

Provided

NameQualifier

Not provided

SPNameQualifier

Not provided

Format

Provided

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SPProvidedID

Not provided

<saml:SubjectConfirmation>

Provided

Method

Provided

Value: urn:oasis:names:tc:SAML:2.0:cm:bearer

<saml:NameID>

Not provided

<SubjectConfirmationData>

Provided

NotBefore

Not provided

NotOnOrAfter

Provided

Recipient

Provided

InResponseTo

Provided

Address

Not provided

<saml:Conditions>

Provided

NotBefore

Provided

NotOnOrAfter

Provided

<saml:AudienceRestriction>

Provided

<saml:Audience>

Provided

<saml:Advice>

Not provided

<saml:AuthnStatement>

Provided

AuthnInstant

Provided

SessionIndex

Not provided

SessionNotOnOrAfter

Not provided

<saml:SubjectLocality>

Not provided

<saml:AuthnContext>

Provided

<saml:AuthnContextClassRef>

Provided

Values:

urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:<primary_auth>:<policy_name>

SP Metadata

                                                                                                                                                                       
<md:EntityDescriptor> Attribute or ElementStatus and Supported Values
IDOptional
entityIDRequired
validUntilOptional
cacheDurationNot supported. Ignored.
<ds:Signature>Not supported. Ignored.
<md:Extensions>Not supported. Ignored.
<md:SPSSODescriptor>Optional
IDOptional
validUntilOptional
cacheDurationNot supported. Ignored.
protocolSupportEnumerationNot supported. Ignored.
errorURLNot supported. Ignored.
AuthnRequestsSigned

Optional

Value: true/false

WantAssertionsSigned

Optional

Value: true/false

<ds:Signature>Not supported. Ignored.
<md:Extensions>Not supported. Ignored.
<md:KeyDescriptor>Optional
<md:KeyTypes>

Required

Value: signing

<ds:KeyInfo>Required

<ds:KeyName>

Required

<ds:X509Data>

Required

Values:

<ds:X509SubjectName>

<ds:X509Certificate>

<md:EncryptionMethod>Not supported. Ignored.
<md:Organization>Not supported. Ignored.
<md:ContactPerson>Not supported. Ignored.
<md:ArtifactResolutionService>Not supported. Ignored.
<md:SingleLogoutService>Not supported. Ignored.
<md:ManageNameIDService>Not supported. Ignored.
<md:NameIDFormat>Not supported. Ignored.
<md:AssertionConsumerService>Optional
BindingOptional
LocationOptional
ResponseLocationOptional
indexNot supported. Ignored.
isDefault

Optional

Value: true

<md:AttributeConsumingService>Not supported. Ignored.
<md:RequestedAttribute>Not supported. Ignored.
<md:Organization>Not supported. Ignored.
<md:ContactPerson>Not supported. Ignored.
<md:AdditionalMetadataLocation>Not supported. Ignored.

IdP Metadata

                                                                                                                                                                                                       
<md:EntityDescriptor> Attribute or ElementStatus and Supported Values
IDProvided
entityIDProvided
validUntilNot provided
cacheDurationNot provided
<ds:Signature>Provided
<md:Extensions>Not provided
<md:IDPSSODescriptor>Provided
IDOptional
validUntilNot provided
cacheDurationNot provided
protocolSupportEnumeration

Provided

Value: urn:oasis:names:tc:SAML:2.0:protocol

errorURLNot provided
WantAuthnRequestsSigned

Provided

Value: true/false

<ds:Signature>Not provided
<md:Extensions>Not provided
<md:KeyDescriptor>Provided
use

Provided

Value: signing

<ds:KeyInfo>Provided

<ds:KeyName>

Provided

<ds:X509Data>

Provided

Values:

<ds:X509SubjectName>

<ds:X509Certificate>

<md:EncryptionMethod>Not provided
<md:Organization>May be provided
<md:OrganizationName>May be provided
<md:OrganizationDisplayName>May be provided
<md:OrganizationURL>May be provided
<md:Extensions>Not provided
<md:ContactPerson>May be provided
contactType

Provided

Value: Other

<md:Company>Not provided
<md:GivenName>May be provided
<md:SurName>May be provided
<md:EmailAddress>May be provided
<md:TelephoneNumber>May be provided
<md:Extensions>Not provided
<md:ArtifactResolutionService>Not provided
<md:SingleLogoutService>Provided
Binding

Provided

Values:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

LocationProvided
ResponseLocationNot provided
<md:ManageNameIDService>Not provided
<md:NameIDFormat>Not supported. Ignored.
<md:AssertionConsumerService>Not provided
<md:AttributeConsumingService>Not provided
<md:RequestedAttribute>Not provided
<md:Organization>Not provided
<md:ContactPerson>Not provided
<md:AdditionalMetadataLocation>Not provided

 

 

Previous Topic:Relying Parties
You are here
Table of Contents > Relying Parties > SAML 2.0 Requirements for Service Providers

Attachments

    Outcomes