Austria SAML Detailed Analysis - RUB-NDS/FutureTrust GitHub Wiki

The Austrian SAML Profile “PVP 2” (Portalverbundprotokoll) is a national SAML 2.0 profile that is pretty close to the Kantara eGov 2.0 profile, as well as close to eIDAS. The Austrian integration middleware “MOA-ID” has an eIDAS interface, it has undergone and passed the CEF eIDAS conformance test in March 2017.

The SAML profile “PVP 2” is an implementation profile Web browser SSO with HTTP Redirect binding for the AuthnRequest and HTTP Post or Artifact binding for the response.

Identity Providers, Service Providers and discovery services must provide a SAML Metadata file and must support the SAML 2.0 Metadata Interoperability Profile Version 1.0.

SAML AuthnRequests must be signed, as well as responses must be signed. Signing assertions or encryption of assertions is optional.

In a typical citizen authentication, requested attributes are the name, date of birth, and the unique sector-specific identifier. This can get amended by mandate and representation information. In a national authorization federation network between public authorities “Portalverbund” also official’s roles are transmitted.

An authentication request is illustrated below:

<saml2p:AuthnRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol“
  AssertionConsumerServiceIndex="1" AttributeConsumingServiceIndex="0“
  Destination=https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/post
  ID="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:02.775Z“
  Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion“
      Format="urn:oasis:names:tc:SAML:2.0:nameid-
      format:entity">https://demo.egiz.gv.at/demoportal_demologin/</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
    <saml2p:NameIDPolicy AllowCreate="true“
      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
    <saml2p:RequestedAuthnContext>
        <saml2:AuthnContextClassRef
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
          http://www.stork.gov.eu/1.0/citizenQAALevel/4</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

The corresponding SAML response is:

<saml2p:Response
  Destination="https://demo.egiz.gv.at/demologin-pvp2-sso/securearea.action"
  ID="_d38c7e611419150ada06d13ff4da7b88"
  InResponseTo="_ca32e1569934f581fbb8c3f01848741e"
  IssueInstant="2015-11-03T19:20:05.228Z" Version="2.0">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0</saml2:Issuer>
  <ds:Signature >
<saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
  <saml2:Assertion ID="_bf798c5f02b11cbf998c22cb3ded7b72"
    IssueInstant="2015-11-03T19:20:05.228Z" Version="2.0">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0</saml2:Issuer>
    <saml2:Subject>
      <saml2:NameID
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">ffK+ZadGhjrero65dsWinfkt5Yc=</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData
          InResponseTo="_ca32e1569934f581fbb8c3f01848741e"
          NotOnOrAfter="2015-11-03T19:25:05.227Z" Recipient="https://demo.egiz.gv.at/demologin-pvp2-sso/securearea.action"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2015-11-03T19:20:05.228Z" NotOnOrAfter="2015-11-03T19:25:05.227Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>https://demo.egiz.gv.at/demologin-pvp2-sso/</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-11-03T19:20:05.228Z" SessionIndex="_9810aeadbb37194fc8d33908eea9f108">
      <saml2:AuthnContext>        <saml2:AuthnContextClassRef>http://www.stork.gov.eu/1.0/citizenQAALevel/4</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="PRINCIPAL-NAME"
        Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>Mustermann</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>Max</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="BIRTHDATE"
        Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>1990-01-01</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="BPK"
        Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>BF:ffK+ZadGhjrero65dsWinfkt5Yc</saml2:AttributeValue>
      </saml2:Attribute>
<saml2:Attribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER"
        Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>urn:publicid:gv.at:cdid+BF</saml2:AttributeValue>
      </saml2:Attribute>
</saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>
FutureTrust
⚠️ **GitHub.com Fallback** ⚠️