SAML 2.0 Requirements for Service Providers

The following tables outline the supported SAML 2.0 elements required for service providers using the Cloud Authentication Service as an IdP to manage authentication. Provide this information to your application administrators.

AuthnRequest

<AuthRequest> Attribute or Element

Status and Supported Values

ID

Required

Version

Required

Value: 2.0

IssueInstant

Required

Destination

Optional

Consent

Not supported.

Ignored.

ForceAuthn

Optional

Value: false

IsPassive

Optional

Value: false

AssertionConsumerServiceIndex

Not supported.

Do not include.

AssertionConsumerServiceURL

Optional

ProtocolBinding

Optional

Values:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

AttributeConsumingServiceIndex

Not supported.

Do not include.

ProviderName

Not supported.

Ignored.

<saml:Issuer>

Required

NameQualifier

Not supported.

Do not include.

SPNameQualifier

Not supported.

Do not include.

Format

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not supported.

Do not include.

<ds:Signature>

Optional

<samlp:Extensions>

Not supported.

Do not include.

<saml:Subject>

  • Required if the service provider manages primary authentication, and RSA SecurID Access manages additional authentication.
  • Optional if RSA SecurID Access manages all authentication.

<saml:NameID>

Required

NameQualifier

Not supported.

Do not include.

SPNameQualifier

Not supported.

Do not include.

Format

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not supported.

Do not include.

<saml:SubjectConfirmation>

Not supported.

Do not include.

<samlp:NameIDPolicy>

Optional

Format

Optional

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SPNameQualifier

Not supported.

Do not include.

AllowCreate

Not supported.

Do not include.

<saml:Conditions>

Optional

NotBefore

Optional

NotOnOrAfter

Optional

<saml:Condition>

Not supported.

Do not include.

<samlp:RequestedAuthnContext>

Required if Determined by Service Provider at Run Time is selected for primary authentication when configuring a service provider where RSA SecurID Access manages all authentication. If this option is selected for primary authentication, the service provider must sign the SAML request, and the service provider certificate must be uploaded in the Connection Profile page for the service provider.

In other use cases with this attribute, signing the SAML request is optional. For more information, see Supported RequestedAuthnContext Examples.

In a future release, RSA will require all requests that use this attribute to be signed.

Comparison

Optional

Value: exact

<saml:AuthnContextClassRef>

Required. Only a single entry is supported.

Allowed values:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:Password

  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  • urn:rsa:names:tc:SAML:2.0:ac:classes:level:<level>

  • urn:rsa:names:tc:SAML:2.0:ac:classes:spec:<primary_auth>:<policy_name>

    • <primary_auth> values. Optional:

      • primary: Perform primary and additional authentication. Primary authentication method must be configured for the service provider.
      • stepup: No primary authentication. Perform only additional authentication.
      • May be omitted: Meaning varies per use case. For more information, see Supported RequestedAuthnContext Examples.
      • password: Perform password primary authentication and additional authentication
      • securid: Perform RSA SecurID primary authentication and additional authentication
      • fido: Perform FIDO primary authentication and additional authentication
    • <policy_name> value: Optional. The exact name (including case sensitivity) of the policy specified in the Cloud Administration Console. If a policy name is specified, it overrides the default policy configured for the service provider in the Cloud Administration Console.

Example

<saml2p:RequestedAuthnContext>

<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid:SomePolicy</saml2:AuthnContextClassRef>

</saml2p:RequestedAuthnContext>

For additional examples, see Supported RequestedAuthnContext Examples.

<saml:AuthnContextDeclRef> Not supported.

<samlp:Scoping>

Not supported.

Do not include.

Supported RequestedAuthnContext Examples

The following examples are based on the Authentication page configuration for the service provider in the Cloud Administration Console.

Service Provider Manages Primary Authentication and RSA SecurID Access Manages Additional Authentication

The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the Service provider manages primary authentication, and RSA SecurID Access manages additional authentication option in the Cloud Administration Console.

If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. RSA recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.

AuthnContextClassRef Value Primary Authentication Policy Assurance Level

(Omitted)

urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

urn:rsa:names:tc:SAML:2.0:ac:classes:spec::

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:

Managed by service provider Access policy assigned to service provider in the Cloud Administration Console N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> N/A High, Medium, or Low

urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy>

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy>

Access policy specified in the value.

The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider.

N/A

Request is rejected because values are not supported:

  • urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:

  • urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:<Policy>

  • Any other value

RSA SecurID Access Manages All Authentication and Primary Authentication is Password, SecurID, FIDO, or Performed by Cloud Identity Provider

The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the RSA SecurID Access manages all authentication option in the Cloud Administration Console and a primary authentication method of Password, SecurID, FIDO, or Performed by Cloud Identity Provider.

If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. RSA recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.

AuthnContextClassRef Value Primary Authentication Policy Assurance Level

(Omitted)

urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

urn:rsa:names:tc:SAML:2.0:ac:classes:spec::

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:

Primary authentication method assigned to service provider in the Cloud Administration Console Access policy assigned to service provider in the Cloud Administration Console N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> None N/A High, Medium, or Low

urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy>

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:<Policy>

Primary authentication method assigned to service provider in the Cloud Administration Console

Access policy specified in the value.

The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider.

N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: None Access policy assigned to service provider in the Cloud Administration Console N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> None

Access policy specified in the value.

The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider.

N/A

Request is rejected because values are not supported:

Any other value.

RSA SecurID Access Manages All Authentication and Primary Authentication is Determined by Service Provider at Run Time

The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the RSA SecurID Access manages all authentication option in the Cloud Administration Console and a primary authentication method of Determined by Service Provider at Run Time.

To use this primary authentication option, the service provider must sign the request, and you must upload the service provider certificate on the Connection Profile page.

AuthnContextClassRef Value Primary Authentication Policy Assurance Level

urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password:

Password Access policy assigned to service provider in the Cloud Administration Console N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> None N/A High, Medium, or Low

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password:<Policy>

Password

Access policy specified in the value.

The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider.

N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid: SecurID Access policy assigned to service provider in the Cloud Administration Console N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid:<Policy> SecurID

Access policy specified in the value.

The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider.

N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido: FIDO Access policy assigned to service provider in the Cloud Administration Console N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido:<Policy> FIDO

Access policy specified in the value.

The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider.

N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: None Access policy assigned to service provider in the Cloud Administration Console N/A
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> None

Access policy specified in the value.

The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider.

N/A

Request is rejected because values are not supported:

  • (Omitted)

  • urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:

  • urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:<Policy>

  • urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:

  • urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy>

  • Any other value.

Response

<AuthRequest> Attribute or Element Status and Supported Values
ID Provided
InResponseTo Provided
Version

Provided

Value: 2.0

IssueInstant Provided
Destination Provided
Consent Not provided
<saml:Issuer> Provided
NameQualifier Not provided
SPNameQualifier Not provided
Format

Provided

Value: urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID Not provided
<ds:Signature> Not provided
<samlp:Extensions> Not provided
<samlp:Status> Provided
<samlp:StatusCode> Provided
Value Provided
<samlp:StatusMessage> May be provided
<samlp:StatusDetail> May be provided
<saml:Assertion>

May be provided

Value: See Assertion table.

Assertion

<Assertion> Attribute or Element

Status and Supported Values

ID

Provided

Version

Provided

Value: 2.0

IssueInstant

Provided

<saml:Issuer>

Provided

NameQualifier

Not provided

SPNameQualifier

Not provided

Format

Provided

Value: urn:oasis:names:tc:SAML:2.0:nameid-format:entity

SPProvidedID

Not provided

<ds:Signature>

Provided

<saml:Subject>

Provided

<saml:NameID>

Provided

NameQualifier

Not provided

SPNameQualifier

Not provided

Format

Provided

Values:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SPProvidedID

Not provided

<saml:SubjectConfirmation>

Provided

Method

Provided

Value: urn:oasis:names:tc:SAML:2.0:cm:bearer

<saml:NameID>

Not provided

<SubjectConfirmationData>

Provided

NotBefore

Not provided

NotOnOrAfter

Provided

Recipient

Provided

InResponseTo

Provided

Address

Not provided

<saml:Conditions>

Provided

NotBefore

Provided

NotOnOrAfter

Provided

<saml:AudienceRestriction>

Provided

<saml:Audience>

Provided

<saml:Advice>

Not provided

<saml:AuthnStatement>

Provided

AuthnInstant

Provided

SessionIndex

Not provided

SessionNotOnOrAfter

Not provided

<saml:SubjectLocality>

Not provided

<saml:AuthnContext>

Provided

<saml:AuthnContextClassRef>

Provided

Values:

urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

urn:rsa:names:tc:SAML:2.0:ac:classes:spec:<primary_auth>:<policy_name>

SP Metadata

<md:EntityDescriptor> Attribute or Element Status and Supported Values
ID Optional
entityID Required
validUntil Optional
cacheDuration Not supported. Ignored.
<ds:Signature> Not supported. Ignored.
<md:Extensions> Not supported. Ignored.
<md:SPSSODescriptor> Optional
ID Optional
validUntil Optional
cacheDuration Not supported. Ignored.
protocolSupportEnumeration Not supported. Ignored.
errorURL Not supported. Ignored.
AuthnRequestsSigned

Optional

Value: true/false

WantAssertionsSigned

Optional

Value: true/false

<ds:Signature> Not supported. Ignored.
<md:Extensions> Not supported. Ignored.
<md:KeyDescriptor> Optional
<md:KeyTypes>

Required

Value: signing

<ds:KeyInfo> Required

<ds:KeyName>

Required

<ds:X509Data>

Required

Values:

<ds:X509SubjectName>

<ds:X509Certificate>

<md:EncryptionMethod> Not supported. Ignored.
<md:Organization> Not supported. Ignored.
<md:ContactPerson> Not supported. Ignored.
<md:ArtifactResolutionService> Not supported. Ignored.
<md:SingleLogoutService> Not supported. Ignored.
<md:ManageNameIDService> Not supported. Ignored.
<md:NameIDFormat> Not supported. Ignored.
<md:AssertionConsumerService> Optional
Binding Optional
Location Optional
ResponseLocation Optional
index Not supported. Ignored.
isDefault

Optional

Value: true

<md:AttributeConsumingService> Not supported. Ignored.
<md:RequestedAttribute> Not supported. Ignored.
<md:Organization> Not supported. Ignored.
<md:ContactPerson> Not supported. Ignored.
<md:AdditionalMetadataLocation> Not supported. Ignored.

IdP Metadata

<md:EntityDescriptor> Attribute or Element Status and Supported Values
ID Provided
entityID Provided
validUntil Not provided
cacheDuration Not provided
<ds:Signature> Provided
<md:Extensions> Not provided
<md:IDPSSODescriptor> Provided
ID Optional
validUntil Not provided
cacheDuration Not provided
protocolSupportEnumeration

Provided

Value: urn:oasis:names:tc:SAML:2.0:protocol

errorURL Not provided
WantAuthnRequestsSigned

Provided

Value: true/false

<ds:Signature> Not provided
<md:Extensions> Not provided
<md:KeyDescriptor> Provided
use

Provided

Value: signing

<ds:KeyInfo> Provided

<ds:KeyName>

Provided

<ds:X509Data>

Provided

Values:

<ds:X509SubjectName>

<ds:X509Certificate>

<md:EncryptionMethod> Not provided
<md:Organization> May be provided
<md:OrganizationName> May be provided
<md:OrganizationDisplayName> May be provided
<md:OrganizationURL> May be provided
<md:Extensions> Not provided
<md:ContactPerson> May be provided
contactType

Provided

Value: Other

<md:Company> Not provided
<md:GivenName> May be provided
<md:SurName> May be provided
<md:EmailAddress> May be provided
<md:TelephoneNumber> May be provided
<md:Extensions> Not provided
<md:ArtifactResolutionService> Not provided
<md:SingleLogoutService> Provided
Binding

Provided

Values:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Location Provided
ResponseLocation Not provided
<md:ManageNameIDService> Not provided
<md:NameIDFormat> Not supported. Ignored.
<md:AssertionConsumerService> Not provided
<md:AttributeConsumingService> Not provided
<md:RequestedAttribute> Not provided
<md:Organization> Not provided
<md:ContactPerson> Not provided
<md:AdditionalMetadataLocation> Not provided