SAML 2.0 Requirements for Service Providers - AuthnRequest
5 months ago

SAML 2.0 Requirements for Service Providers - AuthnRequest

The following tables outline the supported SAML 2.0 elements required for service providers using the Cloud Access Service (CAS) as an IdP to manage authentication. Provide this information to your application administrators.

AuthnRequest

<AuthRequest> Attribute or Element

Status and Supported Values

ID

Required

Version

Required

Value: 2.0

IssueInstant

Required

Destination

Optional

Consent

Not supported.

Ignored.

ForceAuthn

Optional

Default value: false

IsPassive

Optional

Default value: false

ProtocolBinding

Optional

 

Values:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

AssertionConsumerServiceIndex

Supported.

AssertionConsumerServiceURL

Optional

AttributeConsumingServiceIndex

Not supported.

Do not include.

ProviderName

Not supported.

Ignored.

<saml:Issuer>

Required

Format

Optional.

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not supported.

Do not include.

<ds:Signature>

Optional

<samlp:Extensions>

Not supported.

Do not include.

<saml:Subject>

  • Required if the service provider manages primary authentication, and RSA Authenticator manages additional authentication.

  • Optional if manages all authentication.

Format

Optional.

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not supported.

Do not include.

<saml:SubjectConfirmation>

Not supported.

Do not include.

<saml:NameID>

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Format

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not supported.

Do not include.

<samlp:NameIDPolicy>

Optional.

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Format

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SPNameQualifier

Not supported.

Must be omitted.

AllowCreate

Not supported.

Do not include.

<saml:Conditions>

Optional

NotBefore

Optional

NotOnOrAfter

Optional

<saml:Condition>

Not supported.

Do not include.

<samlp:RequestedAuthnContext>

Optional

In a future release, RSA will require all requests that use this attribute to be signed.

Comparison

Optional

Value: exact

<saml:AuthnContextClassRef>

Required. Only a single entry is supported.

Allowed values:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:Password

  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  • urn:rsa:names:tc:SAML:2.0:ac:classes:level:<level>

  • urn:rsa:names:tc:SAML:2.0:ac:classes:spec:<primary_auth>:<policy_name>

    • <primary_auth> values. Optional:

      • primary: Perform primary and additional authentication. Primary authentication method must be configured for the service provider.
      • stepup: No primary authentication. Perform only additional authentication.
      • May be omitted: Meaning varies per use case. For more information, see SAML 2.0 Requirements for Service Providers - AuthnRequest.
      • password: Perform password primary authentication and additional authentication
      • securid: Perform SecurID primary authentication and additional authentication
      • fido: Perform FIDO primary authentication and additional authentication
    • <policy_name> value: Optional. The exact name (including case sensitivity) of the policy specified in the Cloud Administration Console. If a policy name is specified, it overrides the default policy configured for the service provider in the Cloud Administration Console.

Example

 

<saml2p:RequestedAuthnContext>

<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid:SomePolicy</saml2:AuthnContextClassRef>

</saml2p:RequestedAuthnContext>

 

For additional examples, see SAML 2.0 Requirements for Service Providers - AuthnRequest.

<saml:AuthnContextDeclRef>

Not supported.

samlp:Scoping

Not supported.

Do not include.

For more information, see the following topics:

Related Articles

Trending Articles

Don't see what you're looking for?