DevTest4 beta-release and OIO SAML 3 implementations

26-03-2021 12:23:55

With the beta-release of the forthcoming version of NemLog-in the IdP will support OIO SAML 3 and therefore the reference implementations for OIO SAML have been updated to ensure compatibility. To ease testing the examples have been updated to use beta-release available on the DevTest4 environment. The changes and release versions are described below.

Assertion encryption

With OIO SAML 3 cipher suites used for encryption have been updated. The NemLog-in IdP will by default choose to use the AES-256 in GCM-mode for symmetric encryption and RSA OAEP with SHA-256 for asymmetric encryptions. These two ciphers are not by default not supported in .NET Framework, nor are they supported in the reference implementation for .NET. Therefore, the following two EncryptionMethod-elements should be used to force CBC mode for symmetric encryption and RSA OAEP MGF1P for asymmetric encryption:

<md:KeyDescriptor use=”encryption”>
  <ds: KeyInfo>…</ds: KeyInfo>
  <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
  <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />

Please note that this behavior has not be changed for OIO SAML 2 and the NemLog-in IdP will continue to use AES-256 in CBC-mode and RSA OAEP MGF1P for encryption.

AssuranceLevel in OIO SAML 3

To support the cases where authentications does not yield a NSIS Level of Assurance the NemLog-in IdP will instead provide the old OIO SAML 2 AssuranceLevel attribute in the produced SAML Assertion. The reference implementations for OIO SAML 3 have a configuration parameter for whether this is accepted by the service provider. Please see platform specific documentation for how to either enable or disable this support.

Common Domain Cookie in OIO SAML 3

The NemLog-in IdP will for OIO SAML 3 not support Common Domain Cookie. For backwards compatibility Common Domain Cookie will still be supported for OIO SAML 2.

OIO SAML 2.0.9 to OIO SAML 2.1.0 migration

As stated in https://www.digitaliser.dk/news/5889034 several attributes has been deprecated and removed with OIO SAML 2.1.0. This changes only requires metadata changes and can be tested on IntegrationTest by updating the metadata for a service provider by removing the attributes from service provider metadata. The IdP released to DevTest4 does not provide the attributes.

DevTest4 metadata

Metadata for DevTest4 can be found at https://www.nemlog-in.dk/vejledningertiltestmiljo.

Both the Java and .NET OIO SAML 3 demo service providers have updated to use the DevTest4 IdP.

Step-up authentication

Please note that with the forthcoming release of the NemLog-in IdP Step-up authentication will not be supported.

Software releases

  • OIOSAML.Net (dk.nita.saml20) version 2.0.6
  • OIOSAML.Net (dk.nita.saml20) version 3.0.0
  • OIOSAML.Java (oiosaml3.java) version 3.0.1

OIOSAML.Net (dk.nita.saml20) version 2.0.6

Added support for providing consent for attribute query and validating NotOnOrAfter value correctly for HTTP-POST SAML binding.

No changes has been implemented for dk.nita.saml20.ext.audit.log4net or dk.nita.saml20.ext.sessionstore.sqlserver.

Please note that the demo service provider in this release still uses NemLog-in’s IntegrationTest environment IdP.

NuGet package is available at NuGet.org: https://www.nuget.org/packages/dk.nita.saml20/2.0.6

Copy of the source code can be downloaded from GitHub: https://github.com/digst/OIOSAML.Net/archive/2.0.6.zip

OIOSAML.Net (dk.nita.saml20) version 3.0.0

Updated implementation that provide supports OIO SAML 3. Changes from 3.0.0-alpha.1 includes compliance with [OIO-AP-03] such that attributes use the correct name format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) and default behaviour for generation of metadata is not to sign the metadata as NemLog-in rejects metadata which has been signed. Furthermore, the set of attributes listed in the demo example is now only OIO SAML 3 attributes.

No changes has been implemented for dk.nita.saml20.ext.audit.log4net or dk.nita.saml20.ext.sessionstore.sqlserver.

NuGet package is available at NuGet.org: https://www.nuget.org/packages/dk.nita.saml20/3.0.0

Copy of the source code can be downloaded from GitHub: https://github.com/digst/OIOSAML.Net/archive/3.0.0.zip

OIOSAML.Java (oiosaml3.java) version 3.0.1

New implementation for the OIO SAML 3 profile based on OpenSAML 3.4. This is a breaking change from previous oiosaml2.java implementations to enable co-existence of OIO SAML and OIO IDWS implementations. The oiosaml2.java is based on OpenSAML 2.6. Please also note that the used namespace/package have changed to dk.gov.oio.saml.

Maven package is available at mvnrepository.com: https://mvnrepository.com/artifact/dk.digst/oiosaml3.java/3.0.1

A copy of the source code can be download from GitHub: https://github.com/digst/OIOSAML.Java/archive/3.0.1.zip