5.11.7 OIOSAML 3 Compliance

OIOSAML 3 is a set of technical standards and recommendations for sharing authentication and authorization information between various systems and organizations. OIOSAML 3 Web SSO profile is an implementation of SAML 2 Web SSO profile and is governed by the Danish Agency for Digitization. OIOSAML 3 compliance helps to ensure security and maximizes interoperability, allows easier comparison with international profiles, and eases implementation.

For more information about OIOSAML3, see OIOSAML Web SSO Profile 3.0.3.

Access Manager supports the following for OIOSAML 3 compliance:

Prerequisites

Description

Encryption Algorithm

AES-CBC and AES-GCM block cipher algorithms with different key sizes are supported for encryption. The new algorithm is enabled from the web.xml adding the parameters. For more information about encryption, see Section 13.4, Configuring Secure Communication on Identity Server. For example, <md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>            ...</ds:X509Certificate></ds:X509Data></ds:KeyInfo><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/></md:KeyDescriptor>

Signing Algorithm

The signing algorithm is not changed, but the metadata file is edited to display the sha256 signing. For example, <md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>            ...</ds:X509Certificate></ds:X509Data></ds:KeyInfo><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/></md:KeyDescriptor>

Certificate Management

The OIOSAML 3-compliant trusted providers support the OCES3-compliant certificate. The same certificate must be added for both signing and encryption.

For more information about certificates, see Section 17.0, Managing Certificates and Keystores.

Attribute Set

OIOSAML 3 supports both personal and professional profiles. A professional profile has a persistent attribute called UUID, which serves as a professional’s role in the public sector. The identifier is unique and not related to the individual’s personal information.

Use the OIOSAML attribute set and configure it to add or update the attribute set. As per OIOSAML 3 trusted providers, the attribute set configured is OIOSAML.

You have to update your existing attribute set with the attribute mapping required by the OIOSAML -compliant trusted provider.

For example, Constant Value: OIO-SAML- 3.0 and Constant Value: Substantial will have the remote attribute URLs and) respectively, with remote format as URI  with Special Character Encoded.

The Ldap Attribute: description [LDAP Attribute Profile will be mapped to NameID with the remote format as Unspecified and Special Character Encoded. These attributes are sent as part of the federation.

For more information about attributes, see Section 2.8.6, Selecting Attributes for a Trusted Provider and Section 2.4.2, Editing Attribute Sets.

SAML2.0 Trusted Provider Configuration

While creating an OIOSAML 3-compliant SAML 2.0 service provider (SP) or identity provider (IDP), the SAML2 binding must be Post. The NameID must be based on the metadata provided by the OIOSAML-compliant provider. Access Manager supports both SP and IDP configuration for OIOSAML 3 trusted providers by checking the supported NameID format in the metadata. When Access Manager acts as an IDP, it must encrypt the assertions it sends.

For contracts, the OIOSAML 3-compliant provider requires the allowable class to be specified as a URL (https:// data.gov.dk/concept/core/nsis/loa/Substantial), and the URI to be https://data.gov.dk/concept/core/nsis/loa/Substantial.

When Access Manager acts as an IDP: The new contract is identified, and the user is authenticated based on the allowable class and URL in the contract.

When Access Manager acts as an SP: If the OIOSAML 3-compliant provider requires a signed assertion response, the Satisfiable by a contract of equal or higher level option must be selected.

Metadata

Access Manager generates the metadata for OIOSAML3 and sends it to the OIOSAML-compliant providers. You can edit the metadata to remove the signature tag based on the requirements of the OIOSAML 3-compliant provider.

For more information about metadata, see Section 2.8.7, Managing Metadata, Creating a Trusted Identity Provider, and Creating a Trusted Service Provider.