version: | 21.6.2020 |
---|
MPASSid SAML 2.0 profile
SAML profile is used to ensure that all the identity provides and services in a trust network can interoperate with each other. This is achieved by defining a subset from a much larger SAML2 standard and specifying certain functionalities in greater detail. When all the services follow the same guidelines we can build a trust network with best possible operational reliability and predictability.
MPASSid follows in relevant parts saml2int deployment profile. More detailed definitions to MPASSid trust network are as follows:
- NameIDFormat is transient, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Authentication Request Binding is HTTP-Redirect, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
- Authentication Response Binding is HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- Authenticatication requests must be signed
- Encryption of Assertions is recommended
- Registered SAML endpoints must be protected by using SSL / TLS encryption and they have to be in FQDN-format
Public keys should be provided as self-signed X.509 certificates with RSA public keys minimal length of 2048 bits.
- Single logout service is not implemented.
- Supported attributes are maintained within MPASSid data-model.
More information about SAML2 protocol and saml2int:
https://wiki.oasis-open.org/security/FrontPage
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
MPASSid OIDC profile
When a service (relying party) wants to join MPASSid trust network using OIDC they must provide redirect URI:s, authentication method and authorization flow they want to use. Default authentication method is "client_secret_basic" and authorization flow is "code". If your application needs heightened security consider using public keys as an authentication method ("private_key_jwt") instead of shared secret. Using implicit flow is not recommended in MPASSid trust network.
Native apps such as mobile (Android/IOS) or SPA-solutions should use dedicated tools like AppAuth https://appauth.io/ or any other supported library which implements secure solution for authentication for example PKCE standard https://oauth.net/2/pkce/
Information needed for authentication (such as public keys, when using "private_key_jwt"-method) must be send to the operator at address mpass@oph.fi . In exchange Opetushallitus/EDUFI will provide connection information to the relying party. This can be for example client_id and client_secret.
Other adjustments to the standard are:
- Registered endpoints must be protected by using SSL / TLS encryption and they have to be in FQDN format
Public keys should be provided as self-signed X.509 certificates with RSA public keys minimal length of 2048 bits.
- Single logout service in not implemented.
- Only openid and profile scopes are supported
- Dynamic registration is not supported
- Supported claims are maintained within MPASSid data-model.
Note! We recommend using only certificated implementations of libraries and SDK:s when building solutions for MPASSid trust network. List of available software can be found here:
https://openid.net/certification/
MPASSid configuration:
https://mpass-proxy.csc.fi/.well-known/openid-configuration
More information abot OpenID Connect:
https://openid.net/specs/openid-connect-core-1_0.html
https://www.oauth.com/