Federation - Baseline Assertion Metadata Requirements, v1.0

Identity Providers must include ensure all assertions generated are unique and include fundamental metadata including, subject identifier, issuer identifier, audience, timestamps, a digital signature, and authentication time.

Assessment Step

IdP Assertion Complete Metadata (IdPAssertionCompleteMetadata)
Does the IdP generate assertions with all required metadata, subject identifier, issuer identifier, audience, issuance timestamp, expiration timestamp, unique assertion identifier, digital signature, and authentication time?
Provide evidence (e.g. policies, operational samples) that the IdP generates assertions with all the necessary data.

Conformance Criteria (1)

All assertions SHALL include the following assertion metadata:
  • Subject: An identifier for the party that the assertion is about (i.e., the subscriber).
  • Issuer: An identifier for the IdP that issued the assertion.
  • Audience: An identifier for the party intended to consume the assertion (i.e., the RP).
  • Issuance: A timestamp indicating when the IdP issued the assertion.
  • Expiration: A timestamp indicating when the assertion expires and SHALL no longer be accepted as valid by the RP (i.e., the expiration of the assertion and not the expiration of the session at the RP).
  • Identifier: A value uniquely identifying this assertion, used to prevent attackers from replaying prior assertions.
  • Signature: Digital signature or message authentication code (MAC), including key identifier or public key associated with the IdP, for the entire assertion.
  • Authentication Time: A timestamp indicating when the IdP last verified the presence of the subscriber at the IdP through a primary authentication event (if available).
NIST SP 800-63C
Section 6