I4:Information Card Relying Party Features
{{#vardefine:DtArticleSortKey|}}
Contents
- 1 Feature-Accepts Self-Issued Cards
- 2 Feature-Accepts Managed Cards
- 3 Feature-Accepts tokens with 256-bit KeySize
- 4 Feature-Accepts tokens with 128-bit KeySize
- 5 Feature-Accepts tokens with legal whitespace in the signature
- 6 Feature-Accepts expected multi-valued claims
- 7 Feature-Handles claim values containing special characters and non-ASCII values
- 8 Feature-Token with empty claim values
- 9 Feature-Capable of accepting SAML 1.0 tokens
- 10 Feature-Capable of accepting SAML 1.1 tokens
- 11 Feature-Accepts SAML 2.0 tokens
- 12 Feature-Supports use on HTTP sites
- 13 Feature-Relying Party accepts Transport Binding to secure SOAP message
- 14 Feature-Relying Party accepts Symmetric Binding to secure SOAP message
- 15 Feature-Relying Party uses Asymmetric Binding to secure SOAP message
- 16 Feature-Relying Party support for SOAP 1.1
- 17 Feature-Relying Party support for SOAP 1.2
- 18 Feature-Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1
- 19 Feature-Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2
- 20 Feature-Confirms Audience Restriction value matches Relying Party in token from Identity Provider
- 21 Feature-Verifies token signature
- 22 Feature-In browser case, verifies that token is a bearer token
- 23 Feature-Verifies Audience restriction is not present in token when no Auditing data was given
- 24 Feature-Allows the proof key in the token to change between user interactions
- 25 Feature-Different token type received than requested
- 26 Feature-Token encrypted with an unsupported method
- 27 Feature-RSTR received with invalid WS-Trust Lifetime parameters
- 28 Feature-Token with out-of-range SAML notBefore or notOnOrAfter elements
- 29 Feature-SAML token without notBefore or notOnOrAfter elements
- 30 Feature-Token with unrequested claims
- 31 Feature-Token with claim name differing by case
- 32 Feature-Token with non-matching claim name, such as including a trailing slash
- 33 Feature-Verifies that claim namespaces returned in token match those requested
- 34 Feature-Verifies that Token has InclusiveNamespaces element
- 35 Feature-Verifies that Token is only using namespaces in InclusiveNamespaces list
- 36 Feature-Ignores padding in token
- 37 Feature-Unexpected multi-valued claims
- 38 Feature-Received Token is missing required claims
- 39 Feature-Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens
- 40 Feature-RP Sanitizes Received Claims To Prevent Injection Attacks
- 41 Feature-Behavior when no Identity Selector or Browser Add-on installed
- 42 Feature-Behavior when Identity Selector installed but Browser Add-on not installed
- 43 Feature-Behavior when Identity Selector not installed but Browser Add-on installed
- 44 Feature-Provides Validity Window for token times to allow for imperfect Clock Synchronization
- 45 Feature-Relying Party has a domain name and does not require a cert to be installed
- 46 Feature-Information Card Icon used to indicate acceptance of Information Cards
- 47 Feature-Relying Party account creation via Self-Issued Cards
- 48 Feature-Relying Party account creation via Managed Cards
Feature-Accepts Self-Issued Cards
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts Self-Issued Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Accepts Self-Issued Cards - Maturity: Established {{#if: I1 | (I1 ) }} | |||
|---|---|---|---|
| Self-issued information card can be associated with an account at the relying party and used to log into it | Use a self-issued card and verify that the RP has accepted the card | Card accepted | Card not accepted, or error |
Tests
I4:FeatureTest-RP Acceptance of Self-Issued Cards
Feature-Accepts Managed Cards
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts Managed Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Accepts Managed Cards - Maturity: Established {{#if: I1 | (I1 ) }} | |||
|---|---|---|---|
| Managed information card can be associated with an account at the relying party and used to log into it | Use a managed card and verify that the RP has accepted the card | Card accepted | Card not accepted, or error |
Tests
I4:FeatureTest-RP Acceptance of Managed Cards
Feature-Accepts tokens with 256-bit KeySize
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts tokens with 256-bit KeySize|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Accepts tokens with 256-bit KeySize - Maturity: Established {{#if: I1 | (I1 ) }} | |||
|---|---|---|---|
| As per ISIP Guide § 5.2.3 | Select a card using a 256-bit KeySize | Works | Failure without actionable message |
Tests
Implementation priority: low
Feature-Accepts tokens with 128-bit KeySize
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts tokens with 128-bit KeySize|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Accepts tokens with 128-bit KeySize - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| This test was included because the IBM IdP was using 128-bit keys in the Barcelona interop for export-control reasons. If no IdP will be issuing tokens with this characteristic, this test can be removed. (Do not include in Interop if not implemented by any identity provider.) | Use a managed card known to use 128-bit key size. | Successful transaction or actionable error message | Failure without actionable message |
Tests
Implementation priority: low
Feature-Accepts tokens with legal whitespace in the signature
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts tokens with legal whitespace in the signature|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Accepts tokens with legal whitespace in the signature - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Newlines in Signature: RP handling of a signature that contains line breaks or newlines | IdP signature with newlines and other legal whitespace test | Successful transaction | Failure without actionable message |
Tests
Implementation priority: medium
Feature-Accepts expected multi-valued claims
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts expected multi-valued claims|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Accepts expected multi-valued claims - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| The returned token contains the same claim multiple times or one claim containing multiple values | Use emailaddress as expected multi-valued claim. Tests will be conducted both for the case of the token containing the same claim multiple times and for the case of one claim containing multiple values. | The multiple values should be accepted and displayed in the order sent | Only one value is returned to the application and shown |
Tests
Implementation priority: low
Feature-Handles claim values containing special characters and non-ASCII values
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Handles claim values containing special characters and non-ASCII values|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Handles claim values containing special characters and non-ASCII values - Maturity: Established {{#if: I2 | (I2 ) }} | |||
|---|---|---|---|
| All legal Unicode characters should be usable in claim values, including characters such as <, >, /, \, ", ', :, ;, `, ?, #, and space | Supply claim values containing character set soup | Values accurately delivered to the application | Values changed, rejected, or cause software failures |
Tests
Feature-Token with empty claim values
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with empty claim values|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Token with empty claim values - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| The empty string should be a valid claim value | IdP returns an empty value for a required claim | Accept or fail with actionable message | Exception with no actionable message |
Tests
Implementation priority: low
Feature-Capable of accepting SAML 1.0 tokens
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Capable of accepting SAML 1.0 tokens|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Capable of accepting SAML 1.0 tokens - Maturity: Established {{#if: I1 | (I1 ) }} | |||
|---|---|---|---|
| Requested with urn:oasis:names:tc:SAML:1.0:assertion. Note that SAML 1.0 and SAML 1.1 tokens have the same syntax. | Specify a SAML 1.0 token type and use a card that can return a token of that type | Transaction successful | Transaction unsuccessful |
Tests
Implementation priority: low
Feature-Capable of accepting SAML 1.1 tokens
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Capable of accepting SAML 1.1 tokens|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Capable of accepting SAML 1.1 tokens - Maturity: Established {{#if: I2 | (I2 ) }} | |||
|---|---|---|---|
| Requested with http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1. Note that SAML 1.0 and SAML 1.1 tokens have the same syntax. | Specify a SAML 1.1 token type and use a card that can return a token of that type | Transaction successful | Transaction unsuccessful |
Tests
Implementation priority: low
Feature-Accepts SAML 2.0 tokens
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts SAML 2.0 tokens|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Accepts SAML 2.0 tokens - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Requested with urn:oasis:names:tc:SAML:2.0:assertion. | Specify a SAML 2.0 token type and use a card that can return a token of that type | Transaction successful | Transaction unsuccessful |
Tests
Implementation priority: low
Feature-Supports use on HTTP sites
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Supports use on HTTP sites|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Supports use on HTTP sites - Maturity: Established {{#if: I2 | (I2 ) }} | |||
|---|---|---|---|
| Site can accept tokens using an HTTP connection (no-SSL), rather than an HTTPS connection, as per http://blogs.msdn.com/card/archive/2007/09/25/deploy-cardspace-on-your-site-without-a-ssl-certificate.aspx | Attempt to trigger an Information Card transaction on an HTTP page | Transaction successful | Transaction unsuccessful |
Tests
I4:FeatureTest-RP Support for HTTP
Feature-Relying Party accepts Transport Binding to secure SOAP message
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party accepts Transport Binding to secure SOAP message|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party accepts Transport Binding to secure SOAP message - Maturity: Established {{#if: I2 | (I2 ) }} | |||
|---|---|---|---|
| Support for IdP use of transport security to secure the transaction on the channel as per ISIP Guide § 5.1.1.1 and WS-SecurityPolicy 1.2 § 8.3 | Use a managed card whose provider is known to use transport binding against an RP that is also known to correctly handle transport binding. | Successful transaction | Error or exception |
Tests
Implementation priority: low
Feature-Relying Party accepts Symmetric Binding to secure SOAP message
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party accepts Symmetric Binding to secure SOAP message|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party accepts Symmetric Binding to secure SOAP message - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Support for IdP use of message security, specifically a symmetric binding to secure the transaction on the channel as per ISIP Guide § 5.1.1.2 and WS-SecurityPolicy 1.2 § 8.4 | Use a managed card whose provider is known to use symmetric binding against an RP that is also known to correctly handle symmetric binding. | Successful transaction | Error or exception |
Tests
Implementation priority: low
Feature-Relying Party uses Asymmetric Binding to secure SOAP message
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party uses Asymmetric Binding to secure SOAP message|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party uses Asymmetric Binding to secure SOAP message - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Support for Relying Party use of message security, specifically an asymmetric binding to secure the transaction on the channel as per WS-SecurityPolicy 1.2 § 8.5. (Do not test in this Interop if not implemented by any Selector.) | Use a managed card whose provider is known to use asymmetric binding against an RP that is also known to correctly handle asymmetric binding. | Successful transaction | Error or exception |
Tests
Implementation priority: low
Feature-Relying Party support for SOAP 1.1
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party support for SOAP 1.1|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party support for SOAP 1.1 - Maturity: Established {{#if: I1 | (I1 ) }} | |||
|---|---|---|---|
| Support for IdP & RP Components which use SOAP 1.1 | Access components that are known to exclusively use SOAP 1.1 | Transaction Succeeds | Error or Exception |
Tests
Implementation priority: low
Feature-Relying Party support for SOAP 1.2
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party support for SOAP 1.2|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party support for SOAP 1.2 - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Support for IdP & RP Components which use SOAP 1.2 | Access components that are known to exclusively use SOAP 1.2 | Transaction Succeeds | Error or Exception |
Tests
Implementation priority: low
Feature-Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1 - Maturity: Established {{#if: I1 | (I1 ) }} | |||
|---|---|---|---|
| Support for IdP and RP Components which use WS-Trust 1.2 and WS-SecurityPolicy 1.1 as per ISIP and ISIP Guide | Access components that are known to exclusively use ISIP versions of WS-Trust & WS-SecurityPolicy | Transaction Succeeds | Error or Exception |
Tests
Implementation priority: low
Feature-Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2 - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Support for IdP and RP Components which use WS-Trust 1.3 and WS-SecurityPolicy 1.2 (the OASIS standard versions) as per http://blogs.msdn.com/card/archive/2007/11/22/cardspace-support-for-oasis-ws-sx-standards.aspx | Access components that are known to exclusively use OASIS versions of WS-Trust & WS-SecurityPolicy | Transaction Succeeds | Error or Exception |
Tests
Implementation priority: low
Feature-Confirms Audience Restriction value matches Relying Party in token from Identity Provider
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Confirms Audience Restriction value matches Relying Party in token from Identity Provider|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Confirms Audience Restriction value matches Relying Party in token from Identity Provider - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Check that the audienceRestriction parameter applies to the calling Relying Party | Receive a token which contains an audienceRestriction that does not match the receiving RP | Unsuccessful Transaction with Actionable Message | Successful transaction, failure without actionable message |
Tests
Implementation priority: low
Feature-Verifies token signature
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies token signature|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Verifies token signature - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Digitally sign the message and verify that the newly generated signature matches the passed signature | Receive a token whose digital signature does not match | Unsuccessful transaction with actionable message | Other behavior |
Tests
Implementation priority: medium
Feature-In browser case, verifies that token is a bearer token
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:In browser case, verifies that token is a bearer token|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features In browser case, verifies that token is a bearer token - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| The subject confirmation method of a browser-based token must be urn:oasis:names:tc:SAML:1.0:cm:bearer as per ISIP § 8.2 | Receive a token whose subject confirmation method is not bearer | Actionable Message | Other behavior |
Tests
Implementation priority: medium
Feature-Verifies Audience restriction is not present in token when no Auditing data was given
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies Audience restriction is not present in token when no Auditing data was given|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Verifies Audience restriction is not present in token when no Auditing data was given - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| When a non-auditing card is used or an auditing-optional card is used and the RP declines to send token scope information, no AudienceRestrictionCondition should be present in the token | Use a non-auditing card whose Identity Provider returns an AudienceRestriction in violation of the spec. | Incomplete transaction with actionable message | Other behavior |
Tests
Implementation priority: low
Feature-Allows the proof key in the token to change between user interactions
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Allows the proof key in the token to change between user interactions|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Allows the proof key in the token to change between user interactions - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| The proof key used for a given card should be able to change between user interactions without any disruption of user service. (This is a rich client only scenario.) | Use a card at an RP, change the proof key of the card, and then use the card again | Successful transaction | Other behavior |
Tests
Implementation priority: low
Feature-Different token type received than requested
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Different token type received than requested|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Different token type received than requested - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Differing Token Type: RP handling of a token type other than what it asked for | Receive a token with a token type other than what it requested | accept or actionable message returned | no actionable message or failure |
Tests
Implementation priority: low
Feature-Token encrypted with an unsupported method
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token encrypted with an unsupported method|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Token encrypted with an unsupported method - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| RP handling of a token that is encrypted in a way that the RP can not decrypt (e.g.: 256-b AES encryption) | Receive a token that is encrypted with an unorthodox encryption method | actionable message (e.g. "US Government export control violation") | Exception |
Tests
Implementation priority: low
Feature-RSTR received with invalid WS-Trust Lifetime parameters
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:RSTR received with invalid WS-Trust Lifetime parameters|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features RSTR received with invalid WS-Trust Lifetime parameters - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Check that the wst:Lifetime elements in the RSTR are valid – this includes wsu:Created and wsu:Expires | Receive a token with an expired wsu:Expires element | failure with actionable message | Exception, continue |
Tests
Implementation priority: low
Feature-Token with out-of-range SAML notBefore or notOnOrAfter elements
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with out-of-range SAML notBefore or notOnOrAfter elements|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Token with out-of-range SAML notBefore or notOnOrAfter elements - Maturity: Emerging {{#if: I4 | (I4 ) }} | |||
|---|---|---|---|
| RP receives a token whose SAML notBefore and notOnOrAfter elements are outside an RP-defined window of error (e.g. 5-second window of error). | Receive either a very old token or a token from the future | failure with actionable message | Exception, continue |
Tests
I4:FeatureTest-RP Rejection of Tokens Outside Reasonable Validity Windows
Feature-SAML token without notBefore or notOnOrAfter elements
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:SAML token without notBefore or notOnOrAfter elements|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features SAML token without notBefore or notOnOrAfter elements - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| RP receives a SAML token that does not have NotBefore or NotOnOrAfter elements | Receive a token without NotBefore or NotOnOrAfter elements | Failure or error message | Consider token valid |
Tests
Implementation priority: low
Feature-Token with unrequested claims
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with unrequested claims|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Token with unrequested claims - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| If an RP detects unrequested claims, the user should be notified | Receive a token containing unrequested claims | Actionable message | Other behavior |
Tests
Implementation priority: low
Feature-Token with claim name differing by case
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with claim name differing by case|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Token with claim name differing by case - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| RP handling a claim whose name is different in case than what was requested by the RP | Test handling of a claim that is identical to a requested claim except for the case of the claim URI | Treat as a distinct claim | Treat as the requested claim |
Tests
Implementation priority: low
Feature-Token with non-matching claim name, such as including a trailing slash
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with non-matching claim name, such as including a trailing slash|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Token with non-matching claim name, such as including a trailing slash - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Token matching is to be performed only via a case-sensitive string comparison, as per ISIP § 3.1.3 | Receive a token containing claim names that don’t match those requested | Only requested tokens are processed | exception or failure |
Tests
Implementation priority: low
Feature-Verifies that claim namespaces returned in token match those requested
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies that claim namespaces returned in token match those requested|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Verifies that claim namespaces returned in token match those requested - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Check entire claim string, not only the name of the claim but the namespace as well | Receive a token where claim namespace is different than what was requested | Actionable message | Other behavior |
Tests
Implementation priority: low
Feature-Verifies that Token has InclusiveNamespaces element
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies that Token has InclusiveNamespaces element|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Verifies that Token has InclusiveNamespaces element - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| All namespaces should be listed using Inclusive Namespaces element, in order to be exclusively Canonicalized | Return a token to the RP that has no inclusiveNameSpaces element | Fail with actionable message | Continue or Exception |
Tests
Implementation priority: low
Feature-Verifies that Token is only using namespaces in InclusiveNamespaces list
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies that Token is only using namespaces in InclusiveNamespaces list|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Verifies that Token is only using namespaces in InclusiveNamespaces list - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| All namespaces should be listed using Inclusive Namespaces element, in order to be exclusively Canonicalized | Return a token to the RP that uses a namespace not listed in the inclusiveNamespaces list | Fail with actionable message | Continue or Exception |
Tests
Implementation priority: low
Feature-Ignores padding in token
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Ignores padding in token|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Ignores padding in token - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Newlines and other valid whitespace in token values should be ignored as per C14N | Receive a token containing valid whitespace | Successful transaction | Other behavior |
Tests
Implementation priority: medium
Feature-Unexpected multi-valued claims
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Unexpected multi-valued claims|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Unexpected multi-valued claims - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| In the case where a multi-valued claim is returned to an RP where it was expecting a single-valued claim, the RP should not fail. | Return a token to the RP with an unexpected multi-valued claim such as dateofbirth. | Acceptable: Return first value to application, return all values to application, or fail with actionable message | Exception or silent failure |
Tests
Implementation priority: low
Feature-Received Token is missing required claims
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Received Token is missing required claims|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Received Token is missing required claims - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Check that all required claims are actually returned by the IdP | Receive a token in which one or more required claims were not supplied | Actionable message | Exception or non-actionable message |
Tests
Implementation priority: medium
Feature-Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| urn:oasis:names:tc:SAML:1.0:assertion and http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 | Use one URI to request token and receive a token labeled with the other | Acceptable: Actionable error message. Better: accept token. | Silent failure |
Tests
Implementation priority: low
Feature-RP Sanitizes Received Claims To Prevent Injection Attacks
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:RP Sanitizes Received Claims To Prevent Injection Attacks|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features RP Sanitizes Received Claims To Prevent Injection Attacks - Maturity: Established {{#if: I2 | (I2 ) }} | |||
|---|---|---|---|
| Relying Party detects characters within claims that could result in execution of code when the claim is displayed or stored. | Attempt to use a card with attack code embedded | Code is not executed | Code is executed |
Tests
I4:FeatureTest-RP Sanitization of Claims Containing HTML Entities
Feature-Behavior when no Identity Selector or Browser Add-on installed
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Behavior when no Identity Selector or Browser Add-on installed|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Behavior when no Identity Selector or Browser Add-on installed - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| In the case where no Identity Selector is present, RP should not trigger a Selector transaction that will fail – but should offer an actionable message | Visit site using machine with no Identity Selector or Browser Add-On installed | Best: Guidance given to users on how to install a Selector and Add-On. OK: Graceful degradation of page features. | Service appears to have broken feature. Non-actionable error conditions. |
Tests
Implementation priority: high
Feature-Behavior when Identity Selector installed but Browser Add-on not installed
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Behavior when Identity Selector installed but Browser Add-on not installed|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Behavior when Identity Selector installed but Browser Add-on not installed - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Site should gracefully handle situation where an Identity Selector is installed but the Browser Add-On needed to communicate with it is not | Visit site using machine with Identity Selector installed but with no Browser Add-On installed | Best: Guidance given to users on how to install an Add-On. OK: Graceful degradation of page features. | Service appears to have broken feature. Non-actionable error conditions. |
Tests
Implementation priority: high
Feature-Behavior when Identity Selector not installed but Browser Add-on installed
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Behavior when Identity Selector not installed but Browser Add-on installed|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Behavior when Identity Selector not installed but Browser Add-on installed - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Site should gracefully handle situation where a Browser Add-On is installed by not an Identity Selector for it to use | Visit site using machine with no Identity Selector installed but with Browser Add-On installed | Best: Guidance given to users on how to install a Selector. OK: Graceful degradation of page features. | Service appears to have broken feature. Non-actionable error conditions. |
Tests
Implementation priority: high
Feature-Provides Validity Window for token times to allow for imperfect Clock Synchronization
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Provides Validity Window for token times to allow for imperfect Clock Synchronization|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Provides Validity Window for token times to allow for imperfect Clock Synchronization - Maturity: Emerging {{#if: I4 | (I4 ) }} | |||
|---|---|---|---|
| Relying Party should not assume that the Identity Provider is perfectly time-synchronized and therefore needs to allow a limited time period to accommodate clock skew | Receive a token with a 1-second or 0-second time range that is a few seconds in the past | Successful transaction | Other behavior |
Tests
I4:FeatureTest-RP Acceptance of Tokens Within Reasonable Validity Windows
Feature-Relying Party has a domain name and does not require a cert to be installed
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party has a domain name and does not require a cert to be installed|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party has a domain name and does not require a cert to be installed - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Interop best practice: No custom cert needs to be installed | Attempt to use Relying Party with a Selector known to validate certificates | No certificate error | Revoked, expired certs, or cert that doesn’t come from a trusted root certificate |
Tests
Feature-Information Card Icon used to indicate acceptance of Information Cards
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Information Card Icon used to indicate acceptance of Information Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Information Card Icon used to indicate acceptance of Information Cards - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Information Card Icon displayed on Relying Party page accepting Information Cards | Click on Icon and verify that it will cause RP to accept an Information Card | Icon present and active | Icon not present or not usable to request an Information Card |
Tests
Feature-Relying Party account creation via Self-Issued Cards
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party account creation via Self-Issued Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party account creation via Self-Issued Cards - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Ability to use self-issued cards to create a new account | Attempt to use a self-issued card to create an account | Successful account creation | Unsuccessful account creation |
Tests
Feature-Relying Party account creation via Managed Cards
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party account creation via Managed Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I4|copy]] [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I4|as XML]] edit |
| Information Card Relying Party Features Relying Party account creation via Managed Cards - Maturity: Emerging {{#if: | ( ) }} | |||
|---|---|---|---|
| Ability to use managed cards to create a new account | Attempt to use a managed card to create an account | Successful account creation | Unsuccessful account creation |
