wijis commons

SAML Assertion FAQ

Project: Remote Query of Justice Gateway

Security Requirements
The WIJIS Justice Gateway offers services for searching pointers and retrieving detail records to satisfy invocations by authorized Justice Domain records management systems deployed at local agencies. This is an alternative to local agencies' personnel use of the Justice Gateway web application.

mutual X.509 certificate authentication
The records management system is the client of the proposed Gateway services. Both the client and the service shall mutually authenticate each other via X.509 certificates. The certificate validity period shall encompass the present date and time. The certificate's Certificate Authority (CA) shall be verified to be a trusted CA. The certificate subject (CN or common name) shall be verified to correspond to the party on the wire sending the certificate. Finally, the certificate shall be confirmed to be absent from the certificate revocation list (CRL).

client SAML attribute assertions of remote user
The client shall send SAML attribute assertions concerning the records management system's user (aka remote user) who has been authenticated by that very same records management system. In addition, the records management system (aka client) is assumed and trusted by the service to refrain from sending the SAML attribute assertion and refrain from service invocation unless both the attribute assertion and invocation are made during the lifetime of the remote user's authenticated session (i.e. the lifetime of the remote user's authentication assertion). The assertion names and permissible values are listed below. Following the list is an explanation of the assertion verifications performed by the service. For an example of a SAML assertion, please see the end of this document.

List of Assertions:

Assertion name Assertion values

SAML “Issuer” attribute of the “Assertion” tag
Each client shall have a value assigned to it. Clients can be grouped together to share a given Issuer value. The values will be taken and reused from WijisCommons operator group URIs (which can also group submitters together). For example, the Bayside Village Police Department's Issuer might have a value of “http://wijis.wisconsin.gov/names/operators/Bayside/” or the City of LaCrosse PD's Issuer might have a value of “http://wijis.wisconsin.gov/names/operators/LaCrosseCountyEmergencyServices/”

SAML “NotBefore” attribute and “NotOnOrAfter” attribute of the “Conditions” tag. These are referred to as authentication Session-Start and Session-End.
The values are date-times, customarily expressed as
<YYYY>-<MM>-<DD>T<hh>:<mm>:<ss>.<ddd>Z<offset>

(unique id): SAML attribute called “AttributeName” of the tag “Attribute”. There must be one value for “AttributeName”, which may be unique for each local agency, to represent the remote user's unique and immutable identifier within the remote system. However, this name value shall end in a uniform pattern of “/attributes/UniqueId” (i.e. the namespace is at the discretion of the local agency).
The attribute's contained (child) SAML tag “AttributeValue” could contain anything and is at the discretion of the client who is acting as the SAML assertion authority. For example, the AttributeValue could appear like “Rs7vLrXPw0imWzzESLfG08==”.

(given name): SAML attribute called “AttributeName” of the tag “Attribute”. The value of “AttributeName” is “urn:mace:dir:attribute-def:givenName”.
The attribute's contained (child) SAML tag “AttributeValue” could contain anything and is at the discretion of the client who is acting as the SAML assertion authority. For example, the AttributeValue could appear like “Michael”.

(surname): SAML attribute called “AttributeName” of the tag “Attribute”. The value of “AttributeName” is “urn:mace:dir:attribute-def:sn”.
The attribute's contained (child) SAML tag “AttributeValue” could contain anything and is at the discretion of the client who is acting as the SAML assertion authority. For example, the AttributeValue could appear like “Jones”.

(middle name): SAML attribute called “AttributeName” of the tag “Attribute”. The value of “AttributeName” is “urn:mace:dir:attribute-def:middleName” (alternatively, it may be “urn:mace:dir:attribute-def:initials”).
The attribute's contained (child) SAML tag “AttributeValue” could contain anything and is at the discretion of the client who is acting as the SAML assertion authority. For example, the AttributeValue could appear like “Charles” (or like “C” in the alternative case of initials).

(organization): SAML attribute called “AttributeName” of the tag “Attribute”. The value of “AttributeName” is “urn:mace:dir:attribute-def:o”. Typically, a WIJIS service will expect organizational-role information within the assertion. However, for this Remote Query use-case, the service trusts that the client has authorized the remote user's role to be that of a Gateway Searcher. Therefore, only organizational information need be asserted.
The attribute's contained (child) SAML tag “AttributeValue” shall be a bona-fide agency URI as published on wijiscommons.org. For example, the AttributeValue could appear like “http://wijis.wisconsin.gov/names/operators/Bayside/VillageOfBaysidePD/”.

(level of assurance): SAML attribute called “AttributeName” of the tag “Attribute”. The format and value of “AttributeName” are
“NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
AttributeName="gov:wi:wijis:saml:attribute:AssuranceLevel"”.
There is yet no standardization for expressing level of assurance, which is agreed by many to be a binomial attribute: a combination of a measure of the strength of the authentication mechanism/method employed by the user during the “current” authenticated session along with a measure of the degree to which the user's identity prior to account creation was vetted, verified, validated, or “proofed”. In fact, there is yet not even a standard name for conveying such information.
The attribute's contained (child) SAML tag “AttributeValue” could contain anything, but the portion of the binomial that contains the strength of the authentication method shall be “password” for access to only law enforcement source information or be “password-and-OTP” for access to either law enforcement or district attorney source information.

(sensitivity privilege): SAML attribute called “AttributeName” of the tag “Attribute”. The format and value of “AttributeName” are
“NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
AttributeName="gov:wi:wijis:saml:attribute:SensitivityPrivilege"”.
This assertion may optionally appear. It is an assertion of a Gateway-specific sensitivity privilege. WIJIS specifies these values.
The attribute's contained (child) SAML tag “AttributeValue” could be multivalued (i.e. the child tag could appear multiple times). The permissible values are "JUV", "OPEN", "SX".

Verifying Assertions:

verifying Issuer
The service shall ensure the issuer of the remote user's assertions is a valid member of the set of permitted issuers for the client system (the set will typically have just one member; that one issuer though may be the issuer for multiple clients). This set is managed internally by the service.

verifying Organization
The service shall ensure the remote user's affiliated organization (customarily the employer) is a valid member of the set of permitted organizations for the client system (the set for many clients will likely have more than one member). This set is managed internally by the service.

verifying authentication Session-Start and Session-End
The service shall ensure the remote user's authentication session start and end times encompasses current time (non-inclusive).

verifying Level-of-Assurance
The service shall ensure that the appropriate level of assurance is asserted before honoring requests either for pointers matching search criteria or for detail records. Different levels of assurance are anticipated to be required in order to access information from law enforcement sources as compared to information from district attorney sources.

verifying Sensitivity-Privilege
The service shall ensure that the appropriate sensitivity privileges are possessed by the remote user prior to providing access to pointers and detail records that are known to be flagged as sensitive.

logging/auditing
Both the client and the service shall log for potential audit purposes each transaction in full detail excluding any pointers and excluding any detail records.

Example of a SAML attribute assertion:

<?xml version="1.0" encoding="us-ascii"?> <Response xmlns:xml='http://www.w3.org/XML/1998/namespace' xmlns='urn:oasis:names:tc:SAML:1.0:protocol' xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:1.0:protocol' InResponseTo='_abb8495130304c79ee5b9e04ab410091' IssueInstant='2008-08-18T08:28:26.342Z' MajorVersion='1' MinorVersion='1' ResponseID='_9555f7a32d061471587a7e8ca331c0c0' > <Status> <StatusCode Value='samlp:Success' /> </Status> <Assertion AssertionID='_0761475bc5437b89ac866c66d59e97ee' IssueInstant='2008-08-18T08:28:26.342Z' Issuer='http://wijis.wisconsin.gov/names/operators/Bayside/' MajorVersion='1' MinorVersion='1' > <Conditions NotBefore='2008-08-18T08:28:26.342Z' NotOnOrAfter='2008-08-18T20:28:26.342Z' /> <AttributeStatement> <Subject> <NameIdentifier Format='urn:mace:PopularLawEnforcmentRMS:1.0:nameIdentifier' NameQualifier='https://auth.fillintheblankpolicedept.org/' >_b10cd848bd0155465857c1ec5bc682ef</NameIdentifier> </Subject> <Attribute AttributeName='urn:mace:dir:attribute-def:givenName' AttributeNamespace='urn:mace:PopularLawEnforcmentRMS:1.0:attributeNamespace:uri' > <AttributeValue>Jim</AttributeValue> </Attribute> <Attribute AttributeName='https://ph.fillintheblankpolicedept.org/attributes/UniqueId' AttributeNamespace='urn:mace:PopularLawEnforcmentRMS:1.0:attributeNamespace:uri' > <AttributeValue>Rs7vLrXPw0imWzzESLfG08==</AttributeValue> </Attribute> <Attribute AttributeName='urn:mace:dir:attribute-def:o' AttributeNamespace='urn:mace:PopularLawEnforcmentRMS:1.0:attributeNamespace:uri' > <AttributeValue>Bayside Police Department</AttributeValue> </Attribute> <Attribute AttributeName='urn:mace:dir:attribute-def:sn' AttributeNamespace='urn:mace:PopularLawEnforcmentRMS:1.0:attributeNamespace:uri' > <AttributeValue>Smith</AttributeValue> </Attribute> <Attribute AttributeName='https://ph.fillintheblankpolicedept.org/attributes/WIJISGatewayRemoteSearchRoles' AttributeNamespace='urn:mace:PopularLawEnforcmentRMS:1.0:attributeNamespace:uri' > <AttributeValue>Remote Person Search</AttributeValue> </Attribute> </AttributeStatement> </Assertion> </Response>

Copyright © 2006-2010 WIJIS, All Rights Reserved.

Assertion name	Assertion values
SAML “Issuer” attribute of the “Assertion” tag	Each client shall have a value assigned to it. Clients can be grouped together to share a given Issuer value. The values will be taken and reused from WijisCommons operator group URIs (which can also group submitters together). For example, the Bayside Village Police Department's Issuer might have a value of “http://wijis.wisconsin.gov/names/operators/Bayside/” or the City of LaCrosse PD's Issuer might have a value of “http://wijis.wisconsin.gov/names/operators/LaCrosseCountyEmergencyServices/”
SAML “NotBefore” attribute and “NotOnOrAfter” attribute of the “Conditions” tag. These are referred to as authentication Session-Start and Session-End.	The values are date-times, customarily expressed as <YYYY>-<MM>-<DD>T<hh>:<mm>:<ss>.<ddd>Z<offset>
(unique id): SAML attribute called “AttributeName” of the tag “Attribute”. There must be one value for “AttributeName”, which may be unique for each local agency, to represent the remote user's unique and immutable identifier within the remote system. However, this name value shall end in a uniform pattern of “/attributes/UniqueId” (i.e. the namespace is at the discretion of the local agency).	The attribute's contained (child) SAML tag “AttributeValue” could contain anything and is at the discretion of the client who is acting as the SAML assertion authority. For example, the AttributeValue could appear like “Rs7vLrXPw0imWzzESLfG08==”.
(given name): SAML attribute called “AttributeName” of the tag “Attribute”. The value of “AttributeName” is “urn:mace:dir:attribute-def:givenName”.	The attribute's contained (child) SAML tag “AttributeValue” could contain anything and is at the discretion of the client who is acting as the SAML assertion authority. For example, the AttributeValue could appear like “Michael”.
(surname): SAML attribute called “AttributeName” of the tag “Attribute”. The value of “AttributeName” is “urn:mace:dir:attribute-def:sn”.	The attribute's contained (child) SAML tag “AttributeValue” could contain anything and is at the discretion of the client who is acting as the SAML assertion authority. For example, the AttributeValue could appear like “Jones”.
(middle name): SAML attribute called “AttributeName” of the tag “Attribute”. The value of “AttributeName” is “urn:mace:dir:attribute-def:middleName” (alternatively, it may be “urn:mace:dir:attribute-def:initials”).	The attribute's contained (child) SAML tag “AttributeValue” could contain anything and is at the discretion of the client who is acting as the SAML assertion authority. For example, the AttributeValue could appear like “Charles” (or like “C” in the alternative case of initials).
(organization): SAML attribute called “AttributeName” of the tag “Attribute”. The value of “AttributeName” is “urn:mace:dir:attribute-def:o”. Typically, a WIJIS service will expect organizational-role information within the assertion. However, for this Remote Query use-case, the service trusts that the client has authorized the remote user's role to be that of a Gateway Searcher. Therefore, only organizational information need be asserted.	The attribute's contained (child) SAML tag “AttributeValue” shall be a bona-fide agency URI as published on wijiscommons.org. For example, the AttributeValue could appear like “http://wijis.wisconsin.gov/names/operators/Bayside/VillageOfBaysidePD/”.
(level of assurance): SAML attribute called “AttributeName” of the tag “Attribute”. The format and value of “AttributeName” are “NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" AttributeName="gov:wi:wijis:saml:attribute:AssuranceLevel"”. There is yet no standardization for expressing level of assurance, which is agreed by many to be a binomial attribute: a combination of a measure of the strength of the authentication mechanism/method employed by the user during the “current” authenticated session along with a measure of the degree to which the user's identity prior to account creation was vetted, verified, validated, or “proofed”. In fact, there is yet not even a standard name for conveying such information.	The attribute's contained (child) SAML tag “AttributeValue” could contain anything, but the portion of the binomial that contains the strength of the authentication method shall be “password” for access to only law enforcement source information or be “password-and-OTP” for access to either law enforcement or district attorney source information.
(sensitivity privilege): SAML attribute called “AttributeName” of the tag “Attribute”. The format and value of “AttributeName” are “NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" AttributeName="gov:wi:wijis:saml:attribute:SensitivityPrivilege"”. This assertion may optionally appear. It is an assertion of a Gateway-specific sensitivity privilege. WIJIS specifies these values.	The attribute's contained (child) SAML tag “AttributeValue” could be multivalued (i.e. the child tag could appear multiple times). The permissible values are "JUV", "OPEN", "SX".