Federation - Protection of Assertion Integrity via Digital Signature Using Approved Cryptography, v1.0

All assertions must be digitally signed using approved cryptography. The entire assertion including all metadata must be signed.

Assessment Step

Assertion Signatures (AssertionSignatures)
Are all assertions properly digitally signed using approved cryptography?
Provide evidence (e.g. policies, operational samples) that all assertions are properly digitally signed using approved cryptography.

Conformance Criteria (1)

  • Assertions SHALL be cryptographically signed by the issuer (IdP).
  • Approved cryptography SHALL be used.
  • This signature SHALL cover the entire assertion, including its identifier, issuer, audience, subject, and expiration.
  • The assertion signature SHALL either be a digital signature using asymmetric keys or a MAC using a symmetric key shared between the RP and issuer.
  • Shared symmetric keys used for this purpose by the IdP SHALL be independent for each RP to which they send assertions, and are normally established during registration of the RP.
NIST SP 800-63C
Section 6.2.2