Feide Integration Guide. Technical Requisites



Similar documents
SAML 2.0 INT SSO Deployment Profile

OIOSAML Rich Client to Browser Scenario Version 1.0

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Kantara egov and SAML2int comparison

Multifactor authentication. Deployment guide

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Appendix 1 Technical Requirements

Single Sign On Integration Guide. Document version:

Securing Web Services With SAML

Feide Technical Guide. Technical details for integrating a service into Feide

SAML 2.0 Interoperability Testing Procedures

SAML 2.0 protocol deployment profile

Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile

OIO Web SSO Profile V2.0.5

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Configuring Salesforce

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

PARTNER INTEGRATION GUIDE. Edition 1.0

Implementation Guide SAP NetWeaver Identity Management Identity Provider

[MS-SAMLPR]: Security Assertion Markup Language (SAML) Proxy Request Signing Protocol

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

Digital Signature Web Service Interface

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

Security Assertion Markup Language (SAML) V2.0 Technical Overview

SAML Federated Identity at OASIS

Configuring. SuccessFactors. Chapter 67

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

SAML V2.0 Asynchronous Single Logout Profile Extension Version 1.0

Configuring SuccessFactors

IBM WebSphere Application Server

E-Authentication Federation Adopted Schemes

Certification Final Report SAML 2.0 Interoperability Test First Quarter 2011 (1Q11) March 31, 2011

Federation Operator Practice (FOP): Metadata Registration Practice Statement

Getting Started with AD/LDAP SSO

Getting Started with Single Sign-On

SAML Implementation Guidelines

Identity Assurance Hub Service SAML 2.0 Profile v1.2a

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

Getting Started with Single Sign-On

Server based signature service. Overview

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Lecture Notes for Advanced Web Security 2015

Automated Testing of SAML 2.0 Service Providers. Andreas Åkre Solberg UNINETT

Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

HP Software as a Service

OpenHRE Security Architecture. (DRAFT v0.5)

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Configuring. Moodle. Chapter 82

Connecting Web and Kerberos Single Sign On

SAML Security Option White Paper

SAML v2.0 for.net Developer Guide

OIO SAML Profile for Identity Tokens

Configuring. SugarCRM. Chapter 121

Connected Data. Connected Data requirements for SSO

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

[MS-SAMLPR]: Security Assertion Markup Language (SAML) Proxy Request Signing Protocol Specification

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0

igovt logon service Context Mapping Service (icms) Messaging Specification Release 9.6

Perceptive Experience Single Sign-On Solutions

Software Design Document SAMLv2 IDP Proxying

This Working Paper provides an introduction to the web services security standards.

GFIPM Web Browser User-to-System Profile Version 1.2

Authentication Context Classes for Levels of Assurance for the Swedish eid Framework

The increasing popularity of mobile devices is rapidly changing how and where we

SAML-Based SSO Solution

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

OpenSSO: Cross Domain Single Sign On

Leveraging SAML for Federated Single Sign-on:

Agenda. How to configure

The Vetuma Service of the Finnish Public Administration SAML interface specification Version: 3.5

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

SAML and OAUTH comparison

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

SAML single sign-on configuration overview

PingFederate. IWA Integration Kit. User Guide. Version 2.6

PingFederate. OpenID Cloud Identity Connector. User Guide. Version 1.1

How to Implement Enterprise SAML SSO

Microsoft Office 365 Using SAML Integration Guide

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Copyright: WhosOnLocation Limited

XML Document Management Architecture

Extending DigiD to the Private Sector (DigiD-2)

Flexible Identity Federation

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

Network Security Essentials Chapter 5

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

Transcription:

Feide Integration Guide Technical Requisites

Document History Version Date Author Comments 1.1 Apr 2015 Jaime Pérez Allow the use of the HTTP-POST binding. 1.0 Oct 2014 Jaime Pérez First version of this document. UNINETT AS Abels gate 5 Teknobyen P.O. Box: NO-7465 Trondheim Sør-Trøndelag, Norway +47 73 55 79 00 support@feide.no

Feide Integration Guide Introduction This document lists the technical requisites needed to connect as a Service Provider to Feide, the Identity Federation of the Norwegian National Research and Education Network (UNINETT). Feide uses the Security Assertion Markup Language version 2.0 [SAMLCore] and supports the Interoperable SAML 2.0 Web Browser SSO Deployment Profile [SAML2Int]. For more detailed information about integration with Feide as well as technical details for the integration, please refer to the Feide Integration Guide [FeideInt] and the Feide Technical Guide [FeideTech], respectively. Requirements notation The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in [RFC 2119]. The use of SHOULD, SHOULD NOT, and RECOMMENDED reflects broad consensus on deployment practices intended to foster both interoperability and guarantees of security and confidentiality needed to satisfy the requirements of many organizations that engage in the use of federated identity. Deviating may limit a deployment s ability to technically interoperate without additional negotiation, and should be undertaken with caution. 3

Technical Requisites Technical requisites Here is the list of technical requisites that all Service Providers must meet in order to connect to Feide. You can use it as a checklist to verify that you comply with all the requirements and therefore you are ready to proceed with integration. SAML 2.0 Web SSO Profile Feide uses the Web Browser SSO Profile defined by SAML 2.0 [SAMLProf]. When implementing this profile, Service Providers MUST support the use of the following bindings: The HTTP Redirect or the HTTP POST bindings for sending Authentication Requests to Feide. Note that the HTTP Redirect binding is RECOMMENDED. The HTTP POST binding for receiving Authentication Responses from Feide. Additionally, Service Providers MUST support the following authentication flows: The Service Provider MUST be able to send an Authentication Request to Feide when a user requests authentication, and consume the Authentication Response received upon successful authentication, commonly known as SP-initiated authentication. The Service Provider MUST be able to consume an unsolicited Authentication Response received from Feide, commonly known as IdP-initiated authentication. SAML 2.0 Single Logout Profile Full support of the Single Logout profile [SAMLProf] is mandatory in Feide. Service Providers MUST be able to: Send Logout Requests to Feide when a user initiates logout at the Service Provider. Receive Logout Requests and proceed accordingly, by terminating the session of the current user and replying with a Logout Response to Feide. Send and receive the aforementioned messages using the HTTP Redirect or HTTP POST bindings. Note that the HTTP Redirect binding is RECOMMENDED. 4

Feide Integration Guide Identification of users Service Providers MAY support the univocal and persistent identification of single users based on their attributes 1. In particular, Service Providers MUST: Avoid the use of name identifiers as an identifier of a user. Feide uses transient name identifiers that change every session and therefore are not suitable for persistent identification. Attribute format Service Providers MUST support the following attribute name format [SAMLCore]: Basic, identified with the URI: urn:oasis:names:tc:saml:2.0:attrname-format:basic Identification of Norwegian organizations Service Providers willing to perform authorization based on the home organization of the user, SHOULD identify the organization by means of one of the following: The edupersonorgdn:noreduorgnin 2 attribute, or The realm part of the edupersonprincipalname 3 attribute. For those Service Providers that need a finer granularity to identify primary and secondary schools, the previous attributes can be used in addition to the following: The feideschoollist 4 attribute, which holds the list of schools associated with the user. Additionally, Service Providers identifying Norwegian organizations MUST: Avoid using Feide s entity ID to identify an organization, since Feide is a federation with one single SAML Identity Provider that provides service for all Norwegian institutions. Secure web transport 1 See Feide s attribute list for more information: https://www.feide.no/attributelist 2 See the definition of the edupersonorgdn:noreduorgnin attribute for more information: https://www.feide.no/attribute/edupersonorgdn-noreduorgnin 3 See the definition of the edupersonprincipalname attribute for more information: https://www.feide.no/attribute/edupersonprincipalname 4 See the definition of the feideschoollist attribute for more information: https://www.feide.no/attribute/feideschoollist 5

Technical Requisites To ensure the security and privacy of Feide users, and avoid security warnings displayed by web browsers when logging in to Feide, Service Providers MUST: Support HTTPS on all the SAML URLs used to communicate with Feide. Support security protocols (TLS) and mechanisms (certificates signed by wellknown certification authorities) compatible with most modern web browsers. References [RFC 2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, IETF RFC 2119, March 1997; https://www.rfc-editor.org/rfc/rfc2119.txt [SAMLCore] Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS standard, 15 Mar. 2005. [SAMLBind] Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS standard, 15 Mar. 2005. [SAMLProf] Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS standard, 15 Mar. 2005. [SAML2Int] Interoperable SAML 2.0 Web Browser SSO Deployment Profile, http://saml2int.org/profile/current [FeideInt] Feide Integration Guide, Jan. 2014; https://www.feide.no/sites/feide.no/files/documents/feide_system_architecture.pdf [FeideTech] Feide Technical Guide, Sep. 2014; https://www.feide.no/sites/feide.no/files/documents/feide_technical_guide.pdf 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information