Your browser has JavaScript turned off.
You must turn it on to proceed.










NORS -- CSRIC Best Practices Result

CSRIC Best Practices Result

Detailed Information for the Best Practice: 9-8-8770

Number 9-8-8770
Priority Important
Description SAML Communications: Service Providers should use secure network protocols such as TLS or IPsec should be used to provide integrity and confidentiality protection of SAML communications. In addition, the following measures should be implemented to counter replay, denial of service and other forms of attacks:
(a) Clients should be required to authenticate at some level below the SAML protocol level (for example, using the SOAP over HTTP binding, with HTTP over TLS/SSL, and with a requirement for client-side certificates that have a trusted Certificate Authority at their root) to provide traceability and counter DOS attacks.
(b) Use of the XML Signature element [ds:SignatureProperties] containing a timestamp should be required to determine if a signature is recent to counter replay attacks.
(c) Maintaining state information concerning active sessions, and validate correspondence.
(d) Correlation of request and response messages.
Network Type(s) Cable; Internet/Data; Satellite; Wireless; Wireline
Industry Role(s) Service Provider
Keyword(s) Cyber Security;Encryption;Information Protection;Intrusion Detection;
Reference/Comments OASIS, Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0.