[Openid-specs-fastfed] Feedback on the FastFed SAML interop
McAdams, Darin
darinm at amazon.com
Tue Feb 18 00:13:28 UTC 2020
Hi group,
Reviewing the feedback on FastFed SAML Profile<https://drive.google.com/drive/folders/1ld_SRjGoTaxuIY12sWd_rh83uehCCTdu>, there were a couple suggestions for additional guidance. Sharing bullet points here as an FYI. Let us know if you have feedback.
Suspect this is mostly non-controversial. It describes what most of us are already doing. But, worth capturing. I’ll plan to update the spec with the information.
--------------------------------------------
[Rough-draft]
Replay Attack Mitigation
* Identity Providers MUST include a “Conditions” element in the Assertion with NotBefore and NotOnOrAfter elements to bound the lifetime of the assertion. The lifetime time SHOULD be as short as possible. As a reference to implementors, a 10 minute window is often sufficient to reduce the risk of replays while still allowing a small degree of clock skew between participants.
* Application Providers MUST validate the Condition is satisfied.
Response Binding
* Must use the HTTP POST binding for SAML Responses. (Note – the spec mandates the HTTP Redirect binding for the SAML Request, but is silent on the Response.)
Response Signing
* Identity Providers MUST sign either the Assertion, the Response, or Both. (The current practices here are variable across providers. Does anyone think we should be more prescriptive, such as always mandating signatures on a particular element?)
* Application Providers (or course) MUST ensure signatures exist and are valid.
Signature Algorithms
* Minimally, SHOULD support SHA-256 Hashing
* Minimally, SHOULD support either RSA with 2048 bit keys, or ECDSA with Curve P-256.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200218/a1557156/attachment.html>
More information about the Openid-specs-fastfed
mailing list