SAML 2.0 Requirements for Service ProvidersSAML 2.0 Requirements for Service Providers
The following tables outline the supported SAML 2.0 elements required for service providers using the Cloud Authentication Service as an IdP to manage authentication. Provide this information to your application administrators.
AuthnRequestAuthnRequest
|
<AuthRequest> Attribute or Element |
Status and Supported Values |
|---|---|
|
ID |
Required |
|
Version |
Required Value: 2.0 |
|
IssueInstant |
Required |
|
Destination |
Optional |
|
Consent |
Not supported. Ignored. |
|
ForceAuthn |
Optional Value: false |
|
IsPassive |
Optional Value: false |
|
AssertionConsumerServiceIndex |
Not supported. Do not include. |
|
AssertionConsumerServiceURL |
Optional |
|
ProtocolBinding |
Optional
Values: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
|
AttributeConsumingServiceIndex |
Not supported. Do not include. |
|
ProviderName |
Not supported. Ignored. |
|
<saml:Issuer> |
Required |
|
NameQualifier |
Not supported. Do not include. |
|
SPNameQualifier |
Not supported. Do not include. |
|
Format |
Optional Values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:2.0:nameid-format:entity |
|
SPProvidedID |
Not supported. Do not include. |
|
<ds:Signature> |
Optional |
|
<samlp:Extensions> |
Not supported. Do not include. |
|
<saml:Subject> |
|
|
<saml:NameID> |
Required |
|
NameQualifier |
Not supported. Do not include. |
|
SPNameQualifier |
Not supported. Do not include. |
|
Format |
Optional Values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:2.0:nameid-format:entity |
|
SPProvidedID |
Not supported. Do not include. |
|
<saml:SubjectConfirmation> |
Not supported. Do not include. |
|
<samlp:NameIDPolicy> |
Optional |
|
Format |
Optional Values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
|
SPNameQualifier |
Not supported. Do not include. |
|
AllowCreate |
Not supported. Do not include. |
|
<saml:Conditions> |
Optional |
|
NotBefore |
Optional |
|
NotOnOrAfter |
Optional |
|
<saml:Condition> |
Not supported. Do not include. |
|
<samlp:RequestedAuthnContext> |
Required if Determined by Service Provider at Run Time is selected for primary authentication when configuring a service provider where SecurID manages all authentication. If this option is selected for primary authentication, the service provider must sign the SAML request, and the service provider certificate must be uploaded in the Connection Profile page for the service provider. In other use cases with this attribute, signing the SAML request is optional. For more information, see Supported RequestedAuthnContext Examples. In a future release, SecurID will require all requests that use this attribute to be signed. |
|
Comparison |
Optional Value: exact |
|
<saml:AuthnContextClassRef> |
Required. Only a single entry is supported. Allowed values:
Example
<saml2p:RequestedAuthnContext>
</saml2p:RequestedAuthnContext>
For additional examples, see Supported RequestedAuthnContext Examples. |
| <saml:AuthnContextDeclRef> | Not supported. |
|
<samlp:Scoping> |
Not supported. Do not include. |
Supported RequestedAuthnContext ExamplesSupported RequestedAuthnContext Examples
The following examples are based on the Authentication page configuration for the service provider in the Cloud Administration Console.
Service Provider Manages Primary Authentication and SecurID Manages Additional Authentication
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the Service provider manages primary authentication, and SecurID manages additional authentication option in the Cloud Administration Console.
If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. SecurID recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
|
(Omitted) urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: |
Managed by service provider | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | N/A | High, Medium, or Low | |
|
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> |
Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. |
N/A | |
|
Request is rejected because values are not supported:
|
|||
SecurID Manages All Authentication and Primary Authentication is Password, SecurID, FIDO, or Performed by Cloud Identity Provider
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the SecurID manages all authentication option in the Cloud Administration Console and a primary authentication method of Password, SecurID, FIDO, or Performed by Cloud Identity Provider.
If you select the SP signs SAML request option in the Connection Profile page, you also must upload the service provider certificate on that page. SecurID recommends signing requests when the request overrides the Cloud Administration Console configuration for the service provider.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
|
(Omitted) urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary: |
Primary authentication method assigned to service provider in the Cloud Administration Console | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | None | N/A | High, Medium, or Low |
|
urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> urn:rsa:names:tc:SAML:2.0:ac:classes:spec:primary:<Policy> |
Primary authentication method assigned to service provider in the Cloud Administration Console |
Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. |
N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup: | None | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:<Policy> | None |
Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. |
N/A |
|
Request is rejected because values are not supported: Any other value. |
|||
SecurID Manages All Authentication and Primary Authentication is Determined by Service Provider at Run Time
The following are examples of supported RequestedAuthContextClassRef values for a service provider configured with the SecurID manages all authentication option in the Cloud Administration Console and a primary authentication method of Determined by Service Provider at Run Time.
To use this primary authentication option, the service provider must sign the request, and you must upload the service provider certificate on the Connection Profile page.
| AuthnContextClassRef Value | Primary Authentication | Policy | Assurance Level |
|---|---|---|---|
|
urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password: |
Password | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:level:<Level> | None | N/A | High, Medium, or Low |
|
urn:rsa:names:tc:SAML:2.0:ac:classes:spec:password:<Policy> |
Password |
Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. |
N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid: | SecurID | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:securid:<Policy> | SecurID |
Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. |
N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido: | FIDO | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:fido:<Policy> | FIDO |
Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. |
N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec:: | None | Access policy assigned to service provider in the Cloud Administration Console | N/A |
| urn:rsa:names:tc:SAML:2.0:ac:classes:spec::<Policy> | None |
Access policy specified in the value. The access policy must exist in the Cloud Administration Console but does not need to be assigned to the service provider. |
N/A |
|
Request is rejected because values are not supported:
|
|||
ResponseResponse
| <AuthRequest> Attribute or Element | Status and Supported Values |
|---|---|
| ID | Provided |
| InResponseTo | Provided |
| Version |
Provided Value: 2.0 |
| IssueInstant | Provided |
| Destination | Provided |
| Consent | Not provided |
| <saml:Issuer> | Provided |
| NameQualifier | Not provided |
| SPNameQualifier | Not provided |
| Format |
Provided Value: urn:oasis:names:tc:SAML:2.0:nameid-format:entity |
| SPProvidedID | Not provided |
| <ds:Signature> | Not provided |
| <samlp:Extensions> | Not provided |
| <samlp:Status> | Provided |
| <samlp:StatusCode> | Provided |
| Value | Provided |
| <samlp:StatusMessage> | May be provided |
| <samlp:StatusDetail> | May be provided |
| <saml:Assertion> |
May be provided Value: See Assertion table. |
AssertionAssertion
|
<Assertion> Attribute or Element |
Status and Supported Values |
|---|---|
|
ID |
Provided |
|
Version |
Provided Value: 2.0 |
|
IssueInstant |
Provided |
|
<saml:Issuer> |
Provided |
|
NameQualifier |
Not provided |
|
SPNameQualifier |
Not provided |
|
Format |
Provided Value: urn:oasis:names:tc:SAML:2.0:nameid-format:entity |
|
SPProvidedID |
Not provided |
|
<ds:Signature> |
Provided |
|
<saml:Subject> |
Provided |
|
<saml:NameID> |
Provided |
|
NameQualifier |
Not provided |
|
SPNameQualifier |
Not provided |
|
Format |
Provided Values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
|
SPProvidedID |
Not provided |
|
<saml:SubjectConfirmation> |
Provided |
|
Method |
Provided Value: urn:oasis:names:tc:SAML:2.0:cm:bearer |
|
<saml:NameID> |
Not provided |
|
<SubjectConfirmationData> |
Provided |
|
NotBefore |
Not provided |
|
NotOnOrAfter |
Provided |
|
Recipient |
Provided |
|
InResponseTo |
Provided |
|
Address |
Not provided |
|
<saml:Conditions> |
Provided |
|
NotBefore |
Provided |
|
NotOnOrAfter |
Provided |
|
<saml:AudienceRestriction> |
Provided |
|
<saml:Audience> |
Provided |
|
<saml:Advice> |
Not provided |
|
<saml:AuthnStatement> |
Provided |
|
AuthnInstant |
Provided |
|
SessionIndex |
Not provided |
|
SessionNotOnOrAfter |
Not provided |
|
<saml:SubjectLocality> |
Not provided |
|
<saml:AuthnContext> |
Provided |
|
<saml:AuthnContextClassRef> |
Provided Values: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified urn:rsa:names:tc:SAML:2.0:ac:classes:spec:<primary_auth>:<policy_name> |
SP MetadataSP Metadata
| <md:EntityDescriptor> Attribute or Element | Status and Supported Values |
|---|---|
| ID | Optional |
| entityID | Required |
| validUntil | Optional |
| cacheDuration | Not supported. Ignored. |
| <ds:Signature> | Not supported. Ignored. |
| <md:Extensions> | Not supported. Ignored. |
| <md:SPSSODescriptor> | Optional |
| ID | Optional |
| validUntil | Optional |
| cacheDuration | Not supported. Ignored. |
| protocolSupportEnumeration | Not supported. Ignored. |
| errorURL | Not supported. Ignored. |
| AuthnRequestsSigned |
Optional Value: true/false |
| WantAssertionsSigned |
Optional Value: true/false |
| <ds:Signature> | Not supported. Ignored. |
| <md:Extensions> | Not supported. Ignored. |
| <md:KeyDescriptor> | Optional |
| <md:KeyTypes> |
Required Value: signing |
| <ds:KeyInfo> | Required |
|
<ds:KeyName> |
Required |
|
<ds:X509Data> |
Required Values: <ds:X509SubjectName> <ds:X509Certificate> |
| <md:EncryptionMethod> | Not supported. Ignored. |
| <md:Organization> | Not supported. Ignored. |
| <md:ContactPerson> | Not supported. Ignored. |
| <md:ArtifactResolutionService> | Not supported. Ignored. |
| <md:SingleLogoutService> | Not supported. Ignored. |
| <md:ManageNameIDService> | Not supported. Ignored. |
| <md:NameIDFormat> | Not supported. Ignored. |
| <md:AssertionConsumerService> | Optional |
| Binding | Optional |
| Location | Optional |
| ResponseLocation | Optional |
| index | Not supported. Ignored. |
| isDefault |
Optional Value: true |
| <md:AttributeConsumingService> | Not supported. Ignored. |
| <md:RequestedAttribute> | Not supported. Ignored. |
| <md:Organization> | Not supported. Ignored. |
| <md:ContactPerson> | Not supported. Ignored. |
| <md:AdditionalMetadataLocation> | Not supported. Ignored. |
IdP MetadataIdP Metadata
| <md:EntityDescriptor> Attribute or Element | Status and Supported Values |
|---|---|
| ID | Provided |
| entityID | Provided |
| validUntil | Not provided |
| cacheDuration | Not provided |
| <ds:Signature> | Provided |
| <md:Extensions> | Not provided |
| <md:IDPSSODescriptor> | Provided |
| ID | Optional |
| validUntil | Not provided |
| cacheDuration | Not provided |
| protocolSupportEnumeration |
Provided Value: urn:oasis:names:tc:SAML:2.0:protocol |
| errorURL | Not provided |
| WantAuthnRequestsSigned |
Provided Value: true/false |
| <ds:Signature> | Not provided |
| <md:Extensions> | Not provided |
| <md:KeyDescriptor> | Provided |
| use |
Provided Value: signing |
| <ds:KeyInfo> | Provided |
|
<ds:KeyName> |
Provided |
|
<ds:X509Data> |
Provided Values: <ds:X509SubjectName> <ds:X509Certificate> |
| <md:EncryptionMethod> | Not provided |
| <md:Organization> | May be provided |
| <md:OrganizationName> | May be provided |
| <md:OrganizationDisplayName> | May be provided |
| <md:OrganizationURL> | May be provided |
| <md:Extensions> | Not provided |
| <md:ContactPerson> | May be provided |
| contactType |
Provided Value: Other |
| <md:Company> | Not provided |
| <md:GivenName> | May be provided |
| <md:SurName> | May be provided |
| <md:EmailAddress> | May be provided |
| <md:TelephoneNumber> | May be provided |
| <md:Extensions> | Not provided |
| <md:ArtifactResolutionService> | Not provided |
| <md:SingleLogoutService> | Provided |
| Binding |
Provided Values: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| Location | Provided |
| ResponseLocation | Not provided |
| <md:ManageNameIDService> | Not provided |
| <md:NameIDFormat> | Not supported. Ignored. |
| <md:AssertionConsumerService> | Not provided |
| <md:AttributeConsumingService> | Not provided |
| <md:RequestedAttribute> | Not provided |
| <md:Organization> | Not provided |
| <md:ContactPerson> | Not provided |
| <md:AdditionalMetadataLocation> | Not provided |
