Finland SAML Detailed Analysis - RUB-NDS/FutureTrust GitHub Wiki
Finland follows the eIDAS regulation specification. This section describes the main properties of the Finnish Trust Network protocol profile[1], its differences to eIDAS, and mapping of SAML attributes between the Finnish and eIDAS services.
According to Section 2.5.2 in (Viestintävirasto. Finnish Communications Regulatory Authority (FICORA), 2016)[1] HTTP Redirect and HTTP POST bindings must be implemented.
The Finnish profile mandates the usage of the SAML 2.0 Metadata Interoperability Profile[2]. The metadata has to be signed with a certificate issued by a trusted CA.
AuthnRequest messages must be signed. If the HTTP POST binding is used, the signature is included in the AuthnRequest message. If the HTTP Redirect binding is used, the signature is provided as a URL-encoded value, see (Cantor, Hirsch, Kemp, Philpott, & Maler, 2005)[3].
The RequestedAuthnContext must use eIDAS Level of Assurance authentication levels eIDAS2 or eIDAS3. It does not support eIDAS1 (http://eidas.europa.eu/LoA/low).
A SAML response message must contain a signature child element, which signs the whole response message. All the included SAML assertions must be encrypted. Each SAML assertion must be signed using a signature included in the assertion. Note that signing SAML assertions is not mandated by eIDAS.
The following elements must be provided in the SAML responses:
- Subject with a NameID and SubjectConfirmation elements. SubjectConfirmation contains SubjectConfirmationData with InResponse, assertion consumer service URL, and NotOnOrAfter attributes.
- Conditions with NotBefore and NotOnOrAfter attributes
- AuthnContext and AuthnStatement elements
The Finnish Trust Network protocol profile mandates the usage of the following attributes:
| Attribute name | eIDAS attribute mapping |
|---|---|
| surname | Current Family Name |
| givenName | Current First Names |
| dateOfBirth | Date of Birth |
| PersonIdentifier | Uniqueness Identifier |
Table 1: Required attributes in the Finnish Trust Network protocol profile and their mapping to eIDAS
Further optional and recommended attributes used in the Finnish Trust Network protocol profile can be found in Section 2.4 in (Viestintävirasto. Finnish Communications Regulatory Authority (FICORA), 2016)[1].
1. ^ ^ ^ Viestintävirasto. Finnish Communications Regulatory Authority (FICORA). (2016). Finnish Trust Network SAML 2.0 Protocol Profile.
2. ^ Cantor, S. (2009). SAML V2.0 Metadata Interoperability Profile Version 1.0.
3. ^ Cantor, S., Hirsch, F., Kemp, J., Philpott, R., & Maler, E. (2005). Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0.
