| ITI40 | ITI40-001 | reviewed | Testable |
0
|
3
| | The X-Service User uses the X-Assertion Provider as the third party issuer of the X-User assertion | 147 | Section 3.40.1 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-003 | reviewed | Testable |
0
|
3
| | The X-Service User is configurable as to when [ITI-40] Provide X-User Assertion is necessary | 149 | Section 3.40.1.1 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-005 | reviewed | Testable |
0
|
3
| | The X-Service User shall include the OASIS Web Services Security (WSS) Header | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-006 | reviewed | Testable |
0
|
3
| | The X-Service User shall include a SAML 2.0 Assertion as the security token | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-007 | reviewed | Testable |
0
|
3
| | Any ATNA Audit Messages that the X-Service User records in relationship to a transaction protected by the XUA shall have the user identity recorded according to the XUA specific ATNA encoding rules in Section 3.40.4.2 ATNA Audit encoding). | 0 | Section 3.40.4.1.2 and 3.40.4.1.3 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-015 | reviewed | Testable |
0
|
3
| | An X-Service User may ignore a ProxyRestriction condition. | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-016 | reviewed | Testable |
0
|
3
| | An X-Service Provider may ignore a ProxyRestriction condition. (ie if the Assertion contains that condition, it is not a test failure if it is not enforced.) | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-017 | reviewed | Testable |
1
|
3
| | An X-Service User may ignore a OneTimeUsecondition. | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-018 | reviewed | Testable |
0
|
3
| | An X-Service Provider may ignore a OneTimeUse condition. (ie if the Assertion contains that condition, it is not a test failure if it is not enforced.) | 150 | Section 3.40.4.1.2 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-020 | reviewed | Testable |
0
|
3
| | The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a Subject ID attribute. | 0 | Section | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-029 | reviewed | Testable |
1
|
3
| | The SAML assertion sent by the X-Service User may contain other statements. | 152 | Section 3.40.4.1.3 | 2/15/17 6:00:10 PM by ceoche |
|
| ITI40 | ITI40-037 | reviewed | Testable |
0
|
3
| | The X-Service Provider shall place the PurposeOfUse value into the ATNA Audit Message associated with the transaction according to the ATNA Audit Message transaction ITI-20 (see ITI-TF-2a: 3.20.7.3). | 155 | Section 3.40.4.1.2.3.1 | 2/15/17 6:00:11 PM by ceoche |
|
| ITI40 | ITI40-038 | reviewed | Testable |
1
|
3
| | The X-Service Provider shall validate the X-User Assertion by processing the Web-Services Security header in accordance with the Web-Services Security Standard, and SAML 2.0 Standard processing rules | 155 | Section 3.40.4.1.3 | 2/15/17 6:00:11 PM by ceoche |
|
| ITI40 | ITI40-039 | reviewed | Testable |
1
|
3
| | If the validation of the X-User assertion performed by the X-Service Provider fails, the actor grouped with the X-Service Provider (ie the one performing the underlying web services transaction), shall return with an error code as described in WS-Security core specification Section 12 (Error Handling, using the SOAP Fault mechanism), | 155 | Section 3.40.4.1.3 | 2/15/17 6:00:11 PM by ceoche |
|
| ITI40 | ITI40-040 | reviewed | Testable |
1
|
3
| | If the validation of the X-User assertion performed by the X-Service Provider fails, the X-Service Provder shall send an ATNA Audit Message for Authentication Failure. | 155 | Section 3.40.4.1.3 | 2/15/17 6:00:11 PM by ceoche |
|
| ITI40 | ITI40-049 | reviewed | Testable |
3
|
3
| | When an ATNA Audit message needs to be generated and the user is authenticated by way of an X-User Assertion, the ATNA Audit message UserNameelement shall record the X-User Assertion using the following encoding: alias"<"user"@"issuer">" where:
• alias is the optional string within the SAML Assertion's Subject element SPProvidedID attribute
• user is the required content of the SAML Assertion's Subject element | 156 | Section 3.40.4.2 | 2/15/17 6:00:11 PM by ceoche |
|
| ITI40 | ITI40-056 | reviewed | Testable |
1
|
3
| | The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a Subject ID attribute. | 150 | Section 3.40.4.1.2.2 | 2/15/17 6:00:11 PM by ceoche |
|
| XUA | XUA-001 | reviewed | Testable |
2
|
2
| | XUA specifies that when a Cross-Enterprise User Assertion is needed, these Web-Services transactions (ie those based on ITI TF-2x: Appendix V) will additionally use the Web-Services Security header with a SAML 2.0 Token containing the identity Assertion. | 136 | Section 13.2 | 2/15/17 6:00:12 PM by ceoche |
|
| XUA | XUA-002 | reviewed | Testable |
0
|
2
| | The X-Service User shall be able to authenticate a user. The means by which this is done is not constrained by the XUA profile. The authenticated user shall be | 137 | Section 13.4 | 2/15/17 6:00:12 PM by ceoche |
|
| XUA | XUA-003 | reviewed | Testable |
0
|
2
| ceoche: I disagree with this assertion. The way X-User get the assertion is outside of the scope of XUA. The assertion could be generated by the X-User itself. | The X-Service User shall be able to get the X-User Assertion from an X-Assertion Provider. | 137 | Section 13.4 | 2/15/17 6:00:12 PM by ceoche |
|