Differences between SAML profiles Kantara eGov 2.0 and STORK Interface Sepcifiation D5.8.3b (4-Oct-2011)
#FeatureeGov 2.0STORK
1SAML 2.0 MetadataMUST supportdoes not support; uses proprietary metadata format
2SAML 2.0 Metadata IOPMUST supportdoes not support
3SAML 2.0 Metadata ExchangeMUST support publicationdoes not support
4SAML V2.0 X.500/LDAP Attribute Profile MUST supportuses URL for Attribute Name Format
5SLO ProfileFull conformance: MUST supportnot supported
6IdP Discovery ProfileFull conformance: MUST supportnot supported
7HoKSSO ProfileFull conformance: MUST supportnot supported
8IdP Proxy ProfileMUST supportnot supported
9IdP DiscoveryOptional (may be required by deploymnet)does not support; IdP selection using proprietary method
10complex XML AttributesOptionalMUST support
11AuthnRequest BindingMUST support Redirect others OPTIONALMUST be Redirect
12AutnRequest max sizealthough there is no explicit limit in SAML, deployments and Rediret binding might not accept large requests. Information is passed outside the request in metadata etc. instead.128kB
13AuthnRequest <saml2p:ForceAuth>MandatoryMUST be set to TRUE
14AuthnRequest <saml2p:isPassive>MandatoryMUST be set to FALSE
15AuthnRequest <saml2p:ProviderName>OptionalMandatory
16AuthnRequest <saml2p:NameIdPolicy>MandatoryOptional
17AuthnRequest <saml2p:ACSIndex>Optionalnot supported
18AuthnRequest <saml2p:RequestedAuthnContext>Mandatorynot used
19AuthnRequest <storkp:SPAutnRequest> not understoodMandatory
20AuthnRequest <storkp:CitizenCountryCode>not understoodMandatory
21AuthnRequest <storkp:SPInformation>not understoodOptional
22AuthnRequest <stork:Application>not understoodOptional
23AuthnRequest <stork:spCountry>not understoodOptional
24AuthnRequest <stork:QualityAuthenticationAssuranceLevel>not understoodMandatory
25AuthnRequest <stork:spSector>not understoodOptional
26AuthnRequest <stork:eIDSectorSharenot understoodOptional
27AuthnRequest <stork:eIDCrossSectorShare>not understoodOptional
28AuthnRequest <stork:eIDCrossBorderShare>not understoodOptional
29AuthnRequest <stork:SPID>not understoodMandatory
30AuthnRequest <stork:RequestedAttribute>not understoodOptional, but required to request attributes
31AuthnRequest <stork:AuthenticationAttributes>not understoodOptional
32AuthnRequest <stork:AttributeValue>not understoodOptional
33AuthnRequest <stork:SPCertSig>not understoodOptional
34AuthnRequest <stork:SPCertEnc>not understoodOptional
35AuthnRequest <saml:Subject>Optionalnot used
36AuthnRequest signatureMUST supportMandatory
37AuthnRequest verify ACSURL to MetadataMUST supportn/a (not metadata support)
38AuthResponse response signatureOptionalMandatory
39AuthResponse assertion signatureMandatoryOptional
40AuthResponse SessionNotOnOrAfterMUST supportNot used
41AuthResponse <saml:SubjectLocality>OptionalMandatory
42AuthResponse <saml:AuthnContext>Mandatorynot used
Summary: STORK's key differences in the concept
Metadata not SAML compatible
Session handling: each session is local to SP, no real SSO, no SLO, no time out handling
Attribute release: not via metadata, but using AuthnRequest
Different IdP-discovery concept (using country selection and national gateways)
Special proxy architecture