I3:Information Card Relying Party Features

From OSIS Open Source Identity Systems
Jump to: navigation, search

{{#vardefine:DtArticleSortKey|}}

Contents

Feature-Accepts Self-Issued Cards

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts Self-Issued Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Accepts Self-Issued Cards - Maturity: Established {{#if: I1 | (I1 ) }}
Self-issued information card can be associated with an account at the relying party and used to log into it Use a self-issued card and verify that the RP has accepted the card Card accepted Card not accepted, or error

Tests

I3:FeatureTest-RP Acceptance of Self-Issued Cards


Feature-Accepts Managed Cards

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts Managed Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Accepts Managed Cards - Maturity: Established {{#if: I1 | (I1 ) }}
Managed information card can be associated with an account at the relying party and used to log into it Use a managed card and verify that the RP has accepted the card Card accepted Card not accepted, or error

Tests

I3:FeatureTest-RP Acceptance of Managed Cards


Feature-Accepts tokens with 256-bit KeySize

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts tokens with 256-bit KeySize|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Accepts tokens with 256-bit KeySize - Maturity: Established {{#if: I1 | (I1 ) }}
As per ISIP Guide § 5.2.3 Select a card using a 256-bit KeySize Works Failure without actionable message

Tests


Feature-Accepts tokens with 128-bit KeySize

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts tokens with 128-bit KeySize|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Accepts tokens with 128-bit KeySize - Maturity: Emerging {{#if: | ( ) }}
This test was included because the IBM IdP was using 128-bit keys in the Barcelona interop for export-control reasons. If no IdP will be issuing tokens with this characteristic, this test can be removed. (Do not include in Interop if not implemented by any identity provider.) Use a managed card known to use 128-bit key size. Successful transaction or actionable error message Failure without actionable message

Tests


Feature-Accepts tokens with legal whitespace in the signature

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts tokens with legal whitespace in the signature|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Accepts tokens with legal whitespace in the signature - Maturity: Emerging {{#if: | ( ) }}
Newlines in Signature: RP handling of a signature that contains line breaks or newlines IdP signature with newlines and other legal whitespace test Successful transaction Failure without actionable message

Tests


Feature-Accepts expected multi-valued claims

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts expected multi-valued claims|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Accepts expected multi-valued claims - Maturity: Emerging {{#if: | ( ) }}
The returned token contains the same claim multiple times or one claim containing multiple values Use emailaddress as expected multi-valued claim. Tests will be conducted both for the case of the token containing the same claim multiple times and for the case of one claim containing multiple values. The multiple values should be accepted and displayed in the order sent Only one value is returned to the application and shown

Tests


Feature-Handles claim values containing special characters and non-ASCII values

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Handles claim values containing special characters and non-ASCII values|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Handles claim values containing special characters and non-ASCII values - Maturity: Established {{#if: I2 | (I2 ) }}
All legal Unicode characters should be usable in claim values, including characters such as <, >, /, \, ", ', :, ;, `, ?, #, and space Supply claim values containing character set soup Values accurately delivered to the application Values changed, rejected, or cause software failures

Tests


Feature-Token with empty claim values

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with empty claim values|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Token with empty claim values - Maturity: Emerging {{#if: | ( ) }}
The empty string should be a valid claim value IdP returns an empty value for a required claim Accept or fail with actionable message Exception with no actionable message

Tests


Feature-Capable of accepting SAML 1.0 tokens

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Capable of accepting SAML 1.0 tokens|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Capable of accepting SAML 1.0 tokens - Maturity: Established {{#if: I1 | (I1 ) }}
Requested with urn:oasis:names:tc:SAML:1.0:assertion. Note that SAML 1.0 and SAML 1.1 tokens have the same syntax. Specify a SAML 1.0 token type and use a card that can return a token of that type Transaction successful Transaction unsuccessful

Tests


Feature-Capable of accepting SAML 1.1 tokens

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Capable of accepting SAML 1.1 tokens|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Capable of accepting SAML 1.1 tokens - Maturity: Established {{#if: I2 | (I2 ) }}
Requested with http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1. Note that SAML 1.0 and SAML 1.1 tokens have the same syntax. Specify a SAML 1.1 token type and use a card that can return a token of that type Transaction successful Transaction unsuccessful

Tests


Feature-Accepts SAML 2.0 tokens

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Accepts SAML 2.0 tokens|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Accepts SAML 2.0 tokens - Maturity: Emerging {{#if: | ( ) }}
Requested with urn:oasis:names:tc:SAML:2.0:assertion. Specify a SAML 2.0 token type and use a card that can return a token of that type Transaction successful Transaction unsuccessful

Tests


Feature-Supports use on HTTP sites

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Supports use on HTTP sites|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Supports use on HTTP sites - Maturity: Established {{#if: I2 | (I2 ) }}
Site can accept tokens using an HTTP connection (no-SSL), rather than an HTTPS connection, as per http://blogs.msdn.com/card/archive/2007/09/25/deploy-cardspace-on-your-site-without-a-ssl-certificate.aspx Attempt to trigger an Information Card transaction on an HTTP page Transaction successful Transaction unsuccessful

Tests

I3:FeatureTest-RP Support for HTTP


Feature-Relying Party accepts Transport Binding to secure SOAP message

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party accepts Transport Binding to secure SOAP message|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party accepts Transport Binding to secure SOAP message - Maturity: Established {{#if: I2 | (I2 ) }}
Support for IdP use of transport security to secure the transaction on the channel as per ISIP Guide § 5.1.1.1 and WS-SecurityPolicy 1.2 § 8.3 Use a managed card whose provider is known to use transport binding against an RP that is also known to correctly handle transport binding. Successful transaction Error or exception

Tests


Feature-Relying Party accepts Symmetric Binding to secure SOAP message

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party accepts Symmetric Binding to secure SOAP message|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party accepts Symmetric Binding to secure SOAP message - Maturity: Emerging {{#if: | ( ) }}
Support for IdP use of message security, specifically a symmetric binding to secure the transaction on the channel as per ISIP Guide § 5.1.1.2 and WS-SecurityPolicy 1.2 § 8.4 Use a managed card whose provider is known to use symmetric binding against an RP that is also known to correctly handle symmetric binding. Successful transaction Error or exception

Tests


Feature-Relying Party uses Asymmetric Binding to secure SOAP message

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party uses Asymmetric Binding to secure SOAP message|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party uses Asymmetric Binding to secure SOAP message - Maturity: Emerging {{#if: | ( ) }}
Support for Relying Party use of message security, specifically an asymmetric binding to secure the transaction on the channel as per WS-SecurityPolicy 1.2 § 8.5. (Do not test in this Interop if not implemented by any Selector.) Use a managed card whose provider is known to use asymmetric binding against an RP that is also known to correctly handle asymmetric binding. Successful transaction Error or exception

Tests


Feature-Relying Party support for SOAP 1.1

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party support for SOAP 1.1|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party support for SOAP 1.1 - Maturity: Established {{#if: I1 | (I1 ) }}
Support for IdP & RP Components which use SOAP 1.1 Access components that are known to exclusively use SOAP 1.1 Transaction Succeeds Error or Exception

Tests


Feature-Relying Party support for SOAP 1.2

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party support for SOAP 1.2|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party support for SOAP 1.2 - Maturity: Emerging {{#if: | ( ) }}
Support for IdP & RP Components which use SOAP 1.2 Access components that are known to exclusively use SOAP 1.2 Transaction Succeeds Error or Exception

Tests


Feature-Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1 - Maturity: Established {{#if: I1 | (I1 ) }}
Support for IdP and RP Components which use WS-Trust 1.2 and WS-SecurityPolicy 1.1 as per ISIP and ISIP Guide Access components that are known to exclusively use ISIP versions of WS-Trust & WS-SecurityPolicy Transaction Succeeds Error or Exception

Tests


Feature-Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2 - Maturity: Emerging {{#if: | ( ) }}
Support for IdP and RP Components which use WS-Trust 1.3 and WS-SecurityPolicy 1.2 (the OASIS standard versions) as per http://blogs.msdn.com/card/archive/2007/11/22/cardspace-support-for-oasis-ws-sx-standards.aspx Access components that are known to exclusively use OASIS versions of WS-Trust & WS-SecurityPolicy Transaction Succeeds Error or Exception

Tests


Feature-Confirms Audience Restriction value matches Relying Party in token from Identity Provider

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Confirms Audience Restriction value matches Relying Party in token from Identity Provider|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Confirms Audience Restriction value matches Relying Party in token from Identity Provider - Maturity: Emerging {{#if: | ( ) }}
Check that the audienceRestriction parameter applies to the calling Relying Party Receive a token which contains an audienceRestriction that does not match the receiving RP Unsuccessful Transaction with Actionable Message Successful transaction, failure without actionable message

Tests


Feature-Verifies token signature

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies token signature|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Verifies token signature - Maturity: Emerging {{#if: | ( ) }}
Digitally sign the message and verify that the newly generated signature matches the passed signature Receive a token whose digital signature does not match Unsuccessful transaction with actionable message Other behavior

Tests


Feature-In browser case, verifies that token is a bearer token

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:In browser case, verifies that token is a bearer token|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features In browser case, verifies that token is a bearer token - Maturity: Emerging {{#if: | ( ) }}
The subject confirmation method of a browser-based token must be urn:oasis:names:tc:SAML:1.0:cm:bearer as per ISIP § 8.2 Receive a token whose subject confirmation method is not bearer Actionable Message Other behavior

Tests


Feature-Verifies Audience restriction is not present in token when no Auditing data was given

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies Audience restriction is not present in token when no Auditing data was given|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Verifies Audience restriction is not present in token when no Auditing data was given - Maturity: Emerging {{#if: | ( ) }}
When a non-auditing card is used or an auditing-optional card is used and the RP declines to send token scope information, no AudienceRestrictionCondition should be present in the token Use a non-auditing card whose Identity Provider returns an AudienceRestriction in violation of the spec. Incomplete transaction with actionable message Other behavior

Tests


Feature-Allows the proof key in the token to change between user interactions

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Allows the proof key in the token to change between user interactions|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Allows the proof key in the token to change between user interactions - Maturity: Emerging {{#if: | ( ) }}
The proof key used for a given card should be able to change between user interactions without any disruption of user service. (This is a rich client only scenario.) Use a card at an RP, change the proof key of the card, and then use the card again Successful transaction Other behavior

Tests


Feature-Different token type received than requested

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Different token type received than requested|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Different token type received than requested - Maturity: Emerging {{#if: | ( ) }}
Differing Token Type: RP handling of a token type other than what it asked for Receive a token with a token type other than what it requested accept or actionable message returned no actionable message or failure

Tests


Feature-Token encrypted with an unsupported method

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token encrypted with an unsupported method|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Token encrypted with an unsupported method - Maturity: Emerging {{#if: | ( ) }}
RP handling of a token that is encrypted in a way that the RP can not decrypt (e.g.: 256-b AES encryption) Receive a token that is encrypted with an unorthodox encryption method actionable message (e.g. "US Government export control violation") Exception

Tests


Feature-RSTR received with invalid WS-Trust Lifetime parameters

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:RSTR received with invalid WS-Trust Lifetime parameters|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features RSTR received with invalid WS-Trust Lifetime parameters - Maturity: Emerging {{#if: | ( ) }}
Check that the wst:Lifetime elements in the RSTR are valid – this includes wsu:Created and wsu:Expires Receive a token with an expired wsu:Expires element failure with actionable message Exception, continue

Tests


Feature-Token with out-of-range SAML notBefore or notOnOrAfter elements

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with out-of-range SAML notBefore or notOnOrAfter elements|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Token with out-of-range SAML notBefore or notOnOrAfter elements - Maturity: Emerging {{#if: | ( ) }}
RP receives a token whose SAML notBefore and notOnOrAfter elements are outside an RP-defined window of error (e.g. 5-second window of error). Receive either a very old token or a token from the future failure with actionable message Exception, continue

Tests


Feature-SAML token without notBefore or notOnOrAfter elements

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:SAML token without notBefore or notOnOrAfter elements|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features SAML token without notBefore or notOnOrAfter elements - Maturity: Emerging {{#if: | ( ) }}
RP receives a SAML token that does not have NotBefore or NotOnOrAfter elements Receive a token without NotBefore or NotOnOrAfter elements Failure or error message Consider token valid

Tests


Feature-Token with unrequested claims

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with unrequested claims|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Token with unrequested claims - Maturity: Emerging {{#if: | ( ) }}
If an RP detects unrequested claims, the user should be notified Receive a token containing unrequested claims Actionable message Other behavior

Tests


Feature-Token with claim name differing by case

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with claim name differing by case|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Token with claim name differing by case - Maturity: Emerging {{#if: | ( ) }}
RP handling a claim whose name is different in case than what was requested by the RP Test handling of a claim that is identical to a requested claim except for the case of the claim URI Treat as a distinct claim Treat as the requested claim

Tests


Feature-Token with non-matching claim name, such as including a trailing slash

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Token with non-matching claim name, such as including a trailing slash|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Token with non-matching claim name, such as including a trailing slash - Maturity: Emerging {{#if: | ( ) }}
Token matching is to be performed only via a case-sensitive string comparison, as per ISIP § 3.1.3 Receive a token containing claim names that don’t match those requested Only requested tokens are processed exception or failure

Tests


Feature-Verifies that claim namespaces returned in token match those requested

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies that claim namespaces returned in token match those requested|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Verifies that claim namespaces returned in token match those requested - Maturity: Emerging {{#if: | ( ) }}
Check entire claim string, not only the name of the claim but the namespace as well Receive a token where claim namespace is different than what was requested Actionable message Other behavior

Tests


Feature-Verifies that Token has InclusiveNamespaces element

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies that Token has InclusiveNamespaces element|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Verifies that Token has InclusiveNamespaces element - Maturity: Emerging {{#if: | ( ) }}
All namespaces should be listed using Inclusive Namespaces element, in order to be exclusively Canonicalized Return a token to the RP that has no inclusiveNameSpaces element Fail with actionable message Continue or Exception

Tests


Feature-Verifies that Token is only using namespaces in InclusiveNamespaces list

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Verifies that Token is only using namespaces in InclusiveNamespaces list|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Verifies that Token is only using namespaces in InclusiveNamespaces list - Maturity: Emerging {{#if: | ( ) }}
All namespaces should be listed using Inclusive Namespaces element, in order to be exclusively Canonicalized Return a token to the RP that uses a namespace not listed in the inclusiveNamespaces list Fail with actionable message Continue or Exception

Tests


Feature-Ignores padding in token

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Ignores padding in token|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Ignores padding in token - Maturity: Emerging {{#if: | ( ) }}
Newlines and other valid whitespace in token values should be ignored as per C14N Receive a token containing valid whitespace Successful transaction Other behavior

Tests


Feature-Unexpected multi-valued claims

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Unexpected multi-valued claims|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Unexpected multi-valued claims - Maturity: Emerging {{#if: | ( ) }}
In the case where a multi-valued claim is returned to an RP where it was expecting a single-valued claim, the RP should not fail. Return a token to the RP with an unexpected multi-valued claim such as dateofbirth. Acceptable: Return first value to application, return all values to application, or fail with actionable message Exception or silent failure

Tests


Feature-Received Token is missing required claims

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Received Token is missing required claims|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Received Token is missing required claims - Maturity: Emerging {{#if: | ( ) }}
Check that all required claims are actually returned by the IdP Receive a token in which one or more required claims were not supplied Actionable message Exception or non-actionable message

Tests


Feature-Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens - Maturity: Emerging {{#if: | ( ) }}
urn:oasis:names:tc:SAML:1.0:assertion and http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 Use one URI to request token and receive a token labeled with the other Acceptable: Actionable error message. Better: accept token. Silent failure

Tests


Feature-RP Sanitizes Received Claims To Prevent Injection Attacks

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:RP Sanitizes Received Claims To Prevent Injection Attacks|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features RP Sanitizes Received Claims To Prevent Injection Attacks - Maturity: Established {{#if: I2 | (I2 ) }}
Relying Party detects characters within claims that could result in execution of code when the claim is displayed or stored. Attempt to use a card with attack code embedded Code is not executed Code is executed

Tests

I3:FeatureTest-RP Sanitization of Claims Containing HTML Entities


Feature-Behavior when no Identity Selector or Browser Add-on installed

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Behavior when no Identity Selector or Browser Add-on installed|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Behavior when no Identity Selector or Browser Add-on installed - Maturity: Emerging {{#if: | ( ) }}
In the case where no Identity Selector is present, RP should not trigger a Selector transaction that will fail – but should offer an actionable message Visit site using machine with no Identity Selector or Browser Add-On installed Best: Guidance given to users on how to install a Selector and Add-On. OK: Graceful degradation of page features. Service appears to have broken feature. Non-actionable error conditions.

Tests


Feature-Behavior when Identity Selector installed but Browser Add-on not installed

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Behavior when Identity Selector installed but Browser Add-on not installed|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Behavior when Identity Selector installed but Browser Add-on not installed - Maturity: Emerging {{#if: | ( ) }}
Site should gracefully handle situation where an Identity Selector is installed but the Browser Add-On needed to communicate with it is not Visit site using machine with Identity Selector installed but with no Browser Add-On installed Best: Guidance given to users on how to install an Add-On. OK: Graceful degradation of page features. Service appears to have broken feature. Non-actionable error conditions.

Tests


Feature-Behavior when Identity Selector not installed but Browser Add-on installed

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Behavior when Identity Selector not installed but Browser Add-on installed|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Behavior when Identity Selector not installed but Browser Add-on installed - Maturity: Emerging {{#if: | ( ) }}
Site should gracefully handle situation where a Browser Add-On is installed by not an Identity Selector for it to use Visit site using machine with no Identity Selector installed but with Browser Add-On installed Best: Guidance given to users on how to install a Selector. OK: Graceful degradation of page features. Service appears to have broken feature. Non-actionable error conditions.

Tests


Feature-Provides Validity Window for token times to allow for imperfect Clock Synchronization

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Provides Validity Window for token times to allow for imperfect Clock Synchronization|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Provides Validity Window for token times to allow for imperfect Clock Synchronization - Maturity: Emerging {{#if: | ( ) }}
Relying Party should not assume that the Identity Provider is perfectly time-synchronized and therefore needs to allow a limited time period to accommodate clock skew Receive a token with a 1-second or 0-second time range that is a few seconds in the past Successful transaction Other behavior

Tests


Feature-Relying Party has a domain name and does not require a cert to be installed

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party has a domain name and does not require a cert to be installed|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party has a domain name and does not require a cert to be installed - Maturity: Emerging {{#if: | ( ) }}
Interop best practice: No custom cert needs to be installed Attempt to use Relying Party with a Selector known to validate certificates No certificate error Revoked, expired certs, or cert that doesn’t come from a trusted root certificate

Tests


Feature-Information Card Icon used to indicate acceptance of Information Cards

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Information Card Icon used to indicate acceptance of Information Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Information Card Icon used to indicate acceptance of Information Cards - Maturity: Emerging {{#if: | ( ) }}
Information Card Icon displayed on Relying Party page accepting Information Cards Click on Icon and verify that it will cause RP to accept an Information Card Icon present and active Icon not present or not usable to request an Information Card

Tests


Feature-Relying Party account creation via Self-Issued Cards

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party account creation via Self-Issued Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party account creation via Self-Issued Cards - Maturity: Emerging {{#if: | ( ) }}
Ability to use self-issued cards to create a new account Attempt to use a self-issued card to create an account Successful account creation Unsuccessful account creation

Tests


Feature-Relying Party account creation via Managed Cards

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Information Card Relying Party Features}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Relying Party account creation via Managed Cards|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=Feature,from={{#var:page}},namespace=I3|copy]]  [[Special:Call/DT Articles list XML,type=Feature,title={{#var:page}},namespace=I3|as XML]]  edit
}}
Information Card Relying Party Features Relying Party account creation via Managed Cards - Maturity: Emerging {{#if: | ( ) }}
Ability to use managed cards to create a new account Attempt to use a managed card to create an account Successful account creation Unsuccessful account creation

Tests