Portugal SAML Detailed Analysis - RUB-NDS/FutureTrust GitHub Wiki

This section describes the main properties of the Portuguese eID services, which are described in the document provided by AMA (Agencia Para a Modernizacao Administrativa)[1]. The Portuguese IdP is already an eIDAS node and supports some other EU eIDs.

AuthnRequest

AuthnRequest messages must be signed. Portugal uses the HTTP POST binding. Therefore, the signature is included directly in the AuthnRequest message.

The official document prescribes the usage of RSA-SHA1 signatures and SHA1 digest methods to construct XML signatures[1].[2] Other algorithms are not discussed.

Response

A SAML response message must contain a signature child element, which signs the whole response message. The included SAML assertions are neither encrypted nor signed.

Attributes

The Portuguese eID protocol profile mandates the usage of the following attributes (see also Section 4.2 in (AMA, 2016)[1]):

  • Citizen name
  • Citizen identifier
  • Order number
  • Service Provider Applicant (represents the URL and description of the service that originally requested the data)
  • Date and time
  • Further required attributes (if defined)

References

1. ^ ^ ^ AMA. (2016). Autenticação.Gov – Fornecedor de Autenticação da Administração Pública Portuguesa.
2. ^ SHA1 is considered to be insecure.

FutureTrust
⚠️ **GitHub.com Fallback** ⚠️