I3:Information Card Relying Party Features

From OSIS Open Source Identity Systems

Jump to: navigation, search

Contents

Feature-Accepts Self-Issued Cards

   list help  copy  as XML  edit
Information Card Relying Party Features Accepts Self-Issued Cards - Maturity: Established (I1 )
Self-issued information card can be associated with an account at the relying party and used to log into it Use a self-issued card and verify that the RP has accepted the card Card accepted Card not accepted, or error

Tests

I3:FeatureTest-RP Acceptance of Self-Issued Cards


Feature-Accepts Managed Cards

   list help  copy  as XML  edit
Information Card Relying Party Features Accepts Managed Cards - Maturity: Established (I1 )
Managed information card can be associated with an account at the relying party and used to log into it Use a managed card and verify that the RP has accepted the card Card accepted Card not accepted, or error

Tests

I3:FeatureTest-RP Acceptance of Managed Cards


Feature-Accepts tokens with 256-bit KeySize

   list help  copy  as XML  edit
Information Card Relying Party Features Accepts tokens with 256-bit KeySize - Maturity: Established (I1 )
As per ISIP Guide § 5.2.3 Select a card using a 256-bit KeySize Works Failure without actionable message

Tests


Feature-Accepts tokens with 128-bit KeySize

   list help  copy  as XML  edit
Information Card Relying Party Features Accepts tokens with 128-bit KeySize - Maturity: Emerging
This test was included because the IBM IdP was using 128-bit keys in the Barcelona interop for export-control reasons. If no IdP will be issuing tokens with this characteristic, this test can be removed. (Do not include in Interop if not implemented by any identity provider.) Use a managed card known to use 128-bit key size. Successful transaction or actionable error message Failure without actionable message

Tests


Feature-Accepts tokens with legal whitespace in the signature

   list help  copy  as XML  edit
Information Card Relying Party Features Accepts tokens with legal whitespace in the signature - Maturity: Emerging
Newlines in Signature: RP handling of a signature that contains line breaks or newlines IdP signature with newlines and other legal whitespace test Successful transaction Failure without actionable message

Tests


Feature-Accepts expected multi-valued claims

   list help  copy  as XML  edit
Information Card Relying Party Features Accepts expected multi-valued claims - Maturity: Emerging
The returned token contains the same claim multiple times or one claim containing multiple values Use emailaddress as expected multi-valued claim. Tests will be conducted both for the case of the token containing the same claim multiple times and for the case of one claim containing multiple values. The multiple values should be accepted and displayed in the order sent Only one value is returned to the application and shown

Tests


Feature-Handles claim values containing special characters and non-ASCII values

   list help  copy  as XML  edit
Information Card Relying Party Features Handles claim values containing special characters and non-ASCII values - Maturity: Established (I2 )
All legal Unicode characters should be usable in claim values, including characters such as <, >, /, \, ", ', :, ;, `, ?, #, and space Supply claim values containing character set soup Values accurately delivered to the application Values changed, rejected, or cause software failures

Tests


Feature-Token with empty claim values

   list help  copy  as XML  edit
Information Card Relying Party Features Token with empty claim values - Maturity: Emerging
The empty string should be a valid claim value IdP returns an empty value for a required claim Accept or fail with actionable message Exception with no actionable message

Tests


Feature-Capable of accepting SAML 1.0 tokens

   list help  copy  as XML  edit
Information Card Relying Party Features Capable of accepting SAML 1.0 tokens - Maturity: Established (I1 )
Requested with urn:oasis:names:tc:SAML:1.0:assertion. Note that SAML 1.0 and SAML 1.1 tokens have the same syntax. Specify a SAML 1.0 token type and use a card that can return a token of that type Transaction successful Transaction unsuccessful

Tests


Feature-Capable of accepting SAML 1.1 tokens

   list help  copy  as XML  edit
Information Card Relying Party Features Capable of accepting SAML 1.1 tokens - Maturity: Established (I2 )
Requested with http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1. Note that SAML 1.0 and SAML 1.1 tokens have the same syntax. Specify a SAML 1.1 token type and use a card that can return a token of that type Transaction successful Transaction unsuccessful

Tests


Feature-Accepts SAML 2.0 tokens

   list help  copy  as XML  edit
Information Card Relying Party Features Accepts SAML 2.0 tokens - Maturity: Emerging
Requested with urn:oasis:names:tc:SAML:2.0:assertion. Specify a SAML 2.0 token type and use a card that can return a token of that type Transaction successful Transaction unsuccessful

Tests


Feature-Supports use on HTTP sites

   list help  copy  as XML  edit
Information Card Relying Party Features Supports use on HTTP sites - Maturity: Established (I2 )
Site can accept tokens using an HTTP connection (no-SSL), rather than an HTTPS connection, as per http://blogs.msdn.com/card/archive/2007/09/25/deploy-cardspace-on-your-site-without-a-ssl-certificate.aspx Attempt to trigger an Information Card transaction on an HTTP page Transaction successful Transaction unsuccessful

Tests

I3:FeatureTest-RP Support for HTTP


Feature-Relying Party accepts Transport Binding to secure SOAP message

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party accepts Transport Binding to secure SOAP message - Maturity: Established (I2 )
Support for IdP use of transport security to secure the transaction on the channel as per ISIP Guide § 5.1.1.1 and WS-SecurityPolicy 1.2 § 8.3 Use a managed card whose provider is known to use transport binding against an RP that is also known to correctly handle transport binding. Successful transaction Error or exception

Tests


Feature-Relying Party accepts Symmetric Binding to secure SOAP message

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party accepts Symmetric Binding to secure SOAP message - Maturity: Emerging
Support for IdP use of message security, specifically a symmetric binding to secure the transaction on the channel as per ISIP Guide § 5.1.1.2 and WS-SecurityPolicy 1.2 § 8.4 Use a managed card whose provider is known to use symmetric binding against an RP that is also known to correctly handle symmetric binding. Successful transaction Error or exception

Tests


Feature-Relying Party uses Asymmetric Binding to secure SOAP message

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party uses Asymmetric Binding to secure SOAP message - Maturity: Emerging
Support for Relying Party use of message security, specifically an asymmetric binding to secure the transaction on the channel as per WS-SecurityPolicy 1.2 § 8.5. (Do not test in this Interop if not implemented by any Selector.) Use a managed card whose provider is known to use asymmetric binding against an RP that is also known to correctly handle asymmetric binding. Successful transaction Error or exception

Tests


Feature-Relying Party support for SOAP 1.1

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party support for SOAP 1.1 - Maturity: Established (I1 )
Support for IdP & RP Components which use SOAP 1.1 Access components that are known to exclusively use SOAP 1.1 Transaction Succeeds Error or Exception

Tests


Feature-Relying Party support for SOAP 1.2

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party support for SOAP 1.2 - Maturity: Emerging
Support for IdP & RP Components which use SOAP 1.2 Access components that are known to exclusively use SOAP 1.2 Transaction Succeeds Error or Exception

Tests


Feature-Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party support for WS-Trust 1.2, WS-SecurityPolicy 1.1 - Maturity: Established (I1 )
Support for IdP and RP Components which use WS-Trust 1.2 and WS-SecurityPolicy 1.1 as per ISIP and ISIP Guide Access components that are known to exclusively use ISIP versions of WS-Trust & WS-SecurityPolicy Transaction Succeeds Error or Exception

Tests


Feature-Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party support for WS-Trust 1.3, WS-SecurityPolicy 1.2 - Maturity: Emerging
Support for IdP and RP Components which use WS-Trust 1.3 and WS-SecurityPolicy 1.2 (the OASIS standard versions) as per http://blogs.msdn.com/card/archive/2007/11/22/cardspace-support-for-oasis-ws-sx-standards.aspx Access components that are known to exclusively use OASIS versions of WS-Trust & WS-SecurityPolicy Transaction Succeeds Error or Exception

Tests


Feature-Confirms Audience Restriction value matches Relying Party in token from Identity Provider

   list help  copy  as XML  edit
Information Card Relying Party Features Confirms Audience Restriction value matches Relying Party in token from Identity Provider - Maturity: Emerging
Check that the audienceRestriction parameter applies to the calling Relying Party Receive a token which contains an audienceRestriction that does not match the receiving RP Unsuccessful Transaction with Actionable Message Successful transaction, failure without actionable message

Tests


Feature-Verifies token signature

   list help  copy  as XML  edit
Information Card Relying Party Features Verifies token signature - Maturity: Emerging
Digitally sign the message and verify that the newly generated signature matches the passed signature Receive a token whose digital signature does not match Unsuccessful transaction with actionable message Other behavior

Tests


Feature-In browser case, verifies that token is a bearer token

   list help  copy  as XML  edit
Information Card Relying Party Features In browser case, verifies that token is a bearer token - Maturity: Emerging
The subject confirmation method of a browser-based token must be urn:oasis:names:tc:SAML:1.0:cm:bearer as per ISIP § 8.2 Receive a token whose subject confirmation method is not bearer Actionable Message Other behavior

Tests


Feature-Verifies Audience restriction is not present in token when no Auditing data was given

   list help  copy  as XML  edit
Information Card Relying Party Features Verifies Audience restriction is not present in token when no Auditing data was given - Maturity: Emerging
When a non-auditing card is used or an auditing-optional card is used and the RP declines to send token scope information, no AudienceRestrictionCondition should be present in the token Use a non-auditing card whose Identity Provider returns an AudienceRestriction in violation of the spec. Incomplete transaction with actionable message Other behavior

Tests


Feature-Allows the proof key in the token to change between user interactions

   list help  copy  as XML  edit
Information Card Relying Party Features Allows the proof key in the token to change between user interactions - Maturity: Emerging
The proof key used for a given card should be able to change between user interactions without any disruption of user service. (This is a rich client only scenario.) Use a card at an RP, change the proof key of the card, and then use the card again Successful transaction Other behavior

Tests


Feature-Different token type received than requested

   list help  copy  as XML  edit
Information Card Relying Party Features Different token type received than requested - Maturity: Emerging
Differing Token Type: RP handling of a token type other than what it asked for Receive a token with a token type other than what it requested accept or actionable message returned no actionable message or failure

Tests


Feature-Token encrypted with an unsupported method

   list help  copy  as XML  edit
Information Card Relying Party Features Token encrypted with an unsupported method - Maturity: Emerging
RP handling of a token that is encrypted in a way that the RP can not decrypt (e.g.: 256-b AES encryption) Receive a token that is encrypted with an unorthodox encryption method actionable message (e.g. "US Government export control violation") Exception

Tests


Feature-RSTR received with invalid WS-Trust Lifetime parameters

   list help  copy  as XML  edit
Information Card Relying Party Features RSTR received with invalid WS-Trust Lifetime parameters - Maturity: Emerging
Check that the wst:Lifetime elements in the RSTR are valid – this includes wsu:Created and wsu:Expires Receive a token with an expired wsu:Expires element failure with actionable message Exception, continue

Tests


Feature-Token with out-of-range SAML notBefore or notOnOrAfter elements

   list help  copy  as XML  edit
Information Card Relying Party Features Token with out-of-range SAML notBefore or notOnOrAfter elements - Maturity: Emerging
RP receives a token whose SAML notBefore and notOnOrAfter elements are outside an RP-defined window of error (e.g. 5-second window of error). Receive either a very old token or a token from the future failure with actionable message Exception, continue

Tests


Feature-SAML token without notBefore or notOnOrAfter elements

   list help  copy  as XML  edit
Information Card Relying Party Features SAML token without notBefore or notOnOrAfter elements - Maturity: Emerging
RP receives a SAML token that does not have NotBefore or NotOnOrAfter elements Receive a token without NotBefore or NotOnOrAfter elements Failure or error message Consider token valid

Tests


Feature-Token with unrequested claims

   list help  copy  as XML  edit
Information Card Relying Party Features Token with unrequested claims - Maturity: Emerging
If an RP detects unrequested claims, the user should be notified Receive a token containing unrequested claims Actionable message Other behavior

Tests


Feature-Token with claim name differing by case

   list help  copy  as XML  edit
Information Card Relying Party Features Token with claim name differing by case - Maturity: Emerging
RP handling a claim whose name is different in case than what was requested by the RP Test handling of a claim that is identical to a requested claim except for the case of the claim URI Treat as a distinct claim Treat as the requested claim

Tests


Feature-Token with non-matching claim name, such as including a trailing slash

   list help  copy  as XML  edit
Information Card Relying Party Features Token with non-matching claim name, such as including a trailing slash - Maturity: Emerging
Token matching is to be performed only via a case-sensitive string comparison, as per ISIP § 3.1.3 Receive a token containing claim names that don’t match those requested Only requested tokens are processed exception or failure

Tests


Feature-Verifies that claim namespaces returned in token match those requested

   list help  copy  as XML  edit
Information Card Relying Party Features Verifies that claim namespaces returned in token match those requested - Maturity: Emerging
Check entire claim string, not only the name of the claim but the namespace as well Receive a token where claim namespace is different than what was requested Actionable message Other behavior

Tests


Feature-Verifies that Token has InclusiveNamespaces element

   list help  copy  as XML  edit
Information Card Relying Party Features Verifies that Token has InclusiveNamespaces element - Maturity: Emerging
All namespaces should be listed using Inclusive Namespaces element, in order to be exclusively Canonicalized Return a token to the RP that has no inclusiveNameSpaces element Fail with actionable message Continue or Exception

Tests


Feature-Verifies that Token is only using namespaces in InclusiveNamespaces list

   list help  copy  as XML  edit
Information Card Relying Party Features Verifies that Token is only using namespaces in InclusiveNamespaces list - Maturity: Emerging
All namespaces should be listed using Inclusive Namespaces element, in order to be exclusively Canonicalized Return a token to the RP that uses a namespace not listed in the inclusiveNamespaces list Fail with actionable message Continue or Exception

Tests


Feature-Ignores padding in token

   list help  copy  as XML  edit
Information Card Relying Party Features Ignores padding in token - Maturity: Emerging
Newlines and other valid whitespace in token values should be ignored as per C14N Receive a token containing valid whitespace Successful transaction Other behavior

Tests


Feature-Unexpected multi-valued claims

   list help  copy  as XML  edit
Information Card Relying Party Features Unexpected multi-valued claims - Maturity: Emerging
In the case where a multi-valued claim is returned to an RP where it was expecting a single-valued claim, the RP should not fail. Return a token to the RP with an unexpected multi-valued claim such as dateofbirth. Acceptable: Return first value to application, return all values to application, or fail with actionable message Exception or silent failure

Tests


Feature-Received Token is missing required claims

   list help  copy  as XML  edit
Information Card Relying Party Features Received Token is missing required claims - Maturity: Emerging
Check that all required claims are actually returned by the IdP Receive a token in which one or more required claims were not supplied Actionable message Exception or non-actionable message

Tests


Feature-Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party recognizes equivalence of the multiple URIs for SAML 1.0 and 1.1 tokens - Maturity: Emerging
urn:oasis:names:tc:SAML:1.0:assertion and http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 Use one URI to request token and receive a token labeled with the other Acceptable: Actionable error message. Better: accept token. Silent failure

Tests


Feature-RP Sanitizes Received Claims To Prevent Injection Attacks

   list help  copy  as XML  edit
Information Card Relying Party Features RP Sanitizes Received Claims To Prevent Injection Attacks - Maturity: Established (I2 )
Relying Party detects characters within claims that could result in execution of code when the claim is displayed or stored. Attempt to use a card with attack code embedded Code is not executed Code is executed

Tests

I3:FeatureTest-RP Sanitization of Claims Containing HTML Entities


Feature-Behavior when no Identity Selector or Browser Add-on installed

   list help  copy  as XML  edit
Information Card Relying Party Features Behavior when no Identity Selector or Browser Add-on installed - Maturity: Emerging
In the case where no Identity Selector is present, RP should not trigger a Selector transaction that will fail – but should offer an actionable message Visit site using machine with no Identity Selector or Browser Add-On installed Best: Guidance given to users on how to install a Selector and Add-On. OK: Graceful degradation of page features. Service appears to have broken feature. Non-actionable error conditions.

Tests


Feature-Behavior when Identity Selector installed but Browser Add-on not installed

   list help  copy  as XML  edit
Information Card Relying Party Features Behavior when Identity Selector installed but Browser Add-on not installed - Maturity: Emerging
Site should gracefully handle situation where an Identity Selector is installed but the Browser Add-On needed to communicate with it is not Visit site using machine with Identity Selector installed but with no Browser Add-On installed Best: Guidance given to users on how to install an Add-On. OK: Graceful degradation of page features. Service appears to have broken feature. Non-actionable error conditions.

Tests


Feature-Behavior when Identity Selector not installed but Browser Add-on installed

   list help  copy  as XML  edit
Information Card Relying Party Features Behavior when Identity Selector not installed but Browser Add-on installed - Maturity: Emerging
Site should gracefully handle situation where a Browser Add-On is installed by not an Identity Selector for it to use Visit site using machine with no Identity Selector installed but with Browser Add-On installed Best: Guidance given to users on how to install a Selector. OK: Graceful degradation of page features. Service appears to have broken feature. Non-actionable error conditions.

Tests


Feature-Provides Validity Window for token times to allow for imperfect Clock Synchronization

   list help  copy  as XML  edit
Information Card Relying Party Features Provides Validity Window for token times to allow for imperfect Clock Synchronization - Maturity: Emerging
Relying Party should not assume that the Identity Provider is perfectly time-synchronized and therefore needs to allow a limited time period to accommodate clock skew Receive a token with a 1-second or 0-second time range that is a few seconds in the past Successful transaction Other behavior

Tests


Feature-Relying Party has a domain name and does not require a cert to be installed

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party has a domain name and does not require a cert to be installed - Maturity: Emerging
Interop best practice: No custom cert needs to be installed Attempt to use Relying Party with a Selector known to validate certificates No certificate error Revoked, expired certs, or cert that doesn’t come from a trusted root certificate

Tests


Feature-Information Card Icon used to indicate acceptance of Information Cards

   list help  copy  as XML  edit
Information Card Relying Party Features Information Card Icon used to indicate acceptance of Information Cards - Maturity: Emerging
Information Card Icon displayed on Relying Party page accepting Information Cards Click on Icon and verify that it will cause RP to accept an Information Card Icon present and active Icon not present or not usable to request an Information Card

Tests


Feature-Relying Party account creation via Self-Issued Cards

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party account creation via Self-Issued Cards - Maturity: Emerging
Ability to use self-issued cards to create a new account Attempt to use a self-issued card to create an account Successful account creation Unsuccessful account creation

Tests


Feature-Relying Party account creation via Managed Cards

   list help  copy  as XML  edit
Information Card Relying Party Features Relying Party account creation via Managed Cards - Maturity: Emerging
Ability to use managed cards to create a new account Attempt to use a managed card to create an account Successful account creation Unsuccessful account creation

Tests

Retrieved from "http://osis.idcommons.net/wiki/I3:Information_Card_Relying_Party_Features"
Personal tools