ITI40 | ITI40-001 | reviewed | Testable |
0
|
3
| | The X-Service User uses the X-Assertion Provider as the third party issuer of the X-User assertion | 147 | Section 3.40.1 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-002 | reviewed | Testable |
0
|
3
| | The X-Service Provider uses the X-Assertion Provider as the third party issuer of the X-User assertion | 147 | Section 3.40.1 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-003 | reviewed | Testable |
0
|
3
| | The X-Service User is configurable as to when [ITI-40] Provide X-User Assertion is necessary | 149 | Section 3.40.1.1 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-004 | reviewed | Testable |
0
|
3
| | The X-Service User is configurable as to when [ITI-40] Provide X-User Assertion is necessary | 149 | Section 3.40.1.1 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-005 | reviewed | Testable |
0
|
3
| | The X-Service User shall include the OASIS Web Services Security (WSS) Header | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-006 | reviewed | Testable |
0
|
3
| | The X-Service User shall include a SAML 2.0 Assertion as the security token | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-007 | reviewed | Testable |
0
|
3
| | Any ATNA Audit Messages that the X-Service User records in relationship to a transaction protected by the XUA shall have the user identity recorded according to the XUA specific ATNA encoding rules in Section 3.40.4.2 ATNA Audit encoding). | 0 | Section 3.40.4.1.2 and 3.40.4.1.3 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-008 | reviewed | Testable |
0
|
2
| Note this is effectively a duplicate of the previous assertion | Any ATNA Audit Messages recorded by Actor grouped with the X-Service User Actor, shall have the user identity recorded according to the XUA specific ATNA encoding rules (See 3.40.4.2 ATNA Audit encoding). | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-010 | reviewed | Testable |
0
|
3
| | The Subject in the SAML assertion sent by the X-Service User shall remain unchanged through operations acting on the assertion. | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-012 | reviewed | Testable |
0
|
3
| | The X-Service User shall support the bearer confirmation method as defined in the SAML 2.0 Profile specification, Section 3. | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-015 | reviewed | Testable |
0
|
3
| | An X-Service User may ignore a ProxyRestriction condition. | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-016 | reviewed | Testable |
0
|
3
| | An X-Service Provider may ignore a ProxyRestriction condition. (ie if the Assertion contains that condition, it is not a test failure if it is not enforced.) | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-018 | reviewed | Testable |
0
|
3
| | An X-Service Provider may ignore a OneTimeUse condition. (ie if the Assertion contains that condition, it is not a test failure if it is not enforced.) | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-020 | reviewed | Testable |
0
|
3
| | The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a Subject ID attribute. | 0 | Section | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-021 | reviewed | Testable |
0
|
3
| | If the Subject ID is present, this <Attribute> element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:subject-id”. The name of the user shall be placed in the value of the <AttributeValue> element. | 151 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-024 | reviewed | Testable |
0
|
3
| | A unique identifier for the organization that the user is representing in performing this transaction shall be placed in the value of the <AttributeValue> element of the organization ID Attribute Statement element. This organization ID shall be consistent with the plain-text name of the organization provided in the User Organization Attribute. The organization ID may be an Object Identifier (OID), using the urn format (that is, “urn:oid:” appended with the OID); or it may be a URL assigned to that organization. | 151 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-027 | reviewed | Testable |
0
|
3
| | The SAML assertion sent by the X-Service User may contain other Attributes than those listed above. | 152 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-028 | reviewed | Testable |
0
|
3
| | The SAML assertion sent by the X-Service User shall be signed by the X-Assertion Provider as devined in SAML Core. | 152 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-030 | reviewed | Testable |
0
|
3
| Note: A subject-role code set will need to be defined as part of the testing environment for XUA | X-Service User shall encode the relevant user subject roles from a locally defined Code-Set into a subject role element(s). | 152 | Section 3.40.4.1.2.1 | 2/15/17 6:00:10 PM by ceoche |
|
ITI40 | ITI40-036 | reviewed | Testable |
0
|
3
| | The X-Service User shall place the PurposeOfUse value into the ATNA Audit Message associated with the transaction according to the ATNA Audit Message transaction ITI-20 (see ITI-TF-2a: 3.20.7.3). | 155 | Section 3.40.4.1.2.3.1 | 2/15/17 6:00:11 PM by ceoche |
|