OASIS SAML Security and Privacy 2.0: Difference between revisions
m (5 revisions imported: Initial Upload of old pages from IDESG Wiki) |
(No difference)
|
Latest revision as of 04:02, 28 June 2018
Title: Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0
Category: Authentication Procotol Specification
Date: 3/15/2005
Creator: OASIS
URL: http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
Description: Provides security and privacy considerations for users of SAML 2.0, including some specific implementation
requirements (such as mandatory cryptographic algorithms to be supported) but more extensive discussion
of threats and countermeasures to be considered when profiling SAML 2.0.
Privacy: There is discussion of achieving privacy through confidentiality of the transaction and a discussion of
pseudonymity. Privacy protections implemented for PII at rest seems to be out of scope.
Security: The threat analysis within explains design choices within SAML or informs the developers of SAML profiles.
The document requires SHA-1 with no mention of more robust hash algorithms (SHA-256 etc did not exist in
2005), requires Triple DES and suggests but does not mandate AES.
Interoperability: The document specifies TLS cipher suites that are required to be supported.
Terms: