Federation - Protection Against Tampering, Fabrication, and Unintended Use of Assertion References, v1.0

Identity Providers that use assertion references (e.g. SAML Artifact Profile or OIDC) must protect assertion references and verify that when the reference is presented back to the IdP that the RP presenting it was the RP that was issued the reference (most typically by authenticating the RP).

Assessment Step

Assertion Dereferencing (AssertionDereferencing)
Does the IdP correctly use assertion references, protecting them, making them single use, and verifying any RP that dereferences the assertion was the RP to which it was issued?
Provide evidence (e.g. policies, operational samples) that the IdP correctly uses assertion references, authenticating the RP before presenting the assertion.

Conformance Criteria (1)

  • The assertion reference... SHALL be resistant to tampering and fabrication by an attacker.
  • The assertion reference SHALL be limited to use by a single RP.
  • The assertion reference SHALL be single-use.
  • The assertion reference SHOULD be time limited with a short lifetime of seconds or minutes.
  • The assertion reference SHOULD be presented along with authentication of the RP.
  • When assertion references are presented, the IdP SHALL verify that the party presenting the assertion reference is the same party that requested the authentication.
NIST SP 800-63C
Section 7.1