| ITI40 | ITI40-003 | reviewed | Testable |
10
|
3
| | The X-Service User is configurable as to when [ITI-40] Provide X-User Assertion is necessary | 144 | Section 3.40.4.1.1 | 9/10/19 11:55:46 AM by aeschlimann |
|
| ITI40 | ITI40-005 | reviewed | Testable |
2
|
3
| | The X-Service User shall include the OASIS Web Services Security (WSS) Header | 144 | Section 3.40.4.1.2 | 3/8/24 11:02:45 AM by vhofman |
|
| ITI40 | ITI40-006 | reviewed | Testable |
2
|
3
| | The X-Service User shall include a SAML 2.0 Assertion as the security token | 144 | Section 3.40.4.1.2 | 3/8/24 11:02:47 AM by vhofman |
|
| ITI40 | ITI40-007 | reviewed | Testable |
0
|
3
| | Any ATNA Audit Messages that the X-Service User records in relationship to a transaction protected by the XUA shall have the user identity recorded according to the XUA specific ATNA encoding rules in Section 3.40.4.2 ATNA Audit encoding). | 145 | Section 3.40.4.1.2 | 9/17/19 11:07:26 AM by ceoche |
|
| ITI40 | ITI40-015 | reviewed | Not testable |
0
|
3
| | An X-Service User may ignore a ProxyRestriction condition. | 144 | Section 3.40.4.1.2 | 9/17/19 4:56:07 PM by mtoudic |
|
| ITI40 | ITI40-016 | reviewed | Not testable |
0
|
3
| | An X-Service Provider may ignore a ProxyRestriction condition. (ie if the Assertion contains that condition, it is not a test failure if it is not enforced.) | 144 | Section 3.40.4.1.2 | 9/17/19 4:56:13 PM by mtoudic |
|
| ITI40 | ITI40-017 | reviewed | Not testable |
0
|
3
| | An X-Service User may ignore a OneTimeUsecondition. | 144 | Section 3.40.4.1.2 | 9/17/19 4:56:18 PM by mtoudic |
|
| ITI40 | ITI40-018 | reviewed | Not testable |
0
|
3
| | An X-Service Provider may ignore a OneTimeUse condition. (ie if the Assertion contains that condition, it is not a test failure if it is not enforced.) | 144 | Section 3.40.4.1.2 | 9/17/19 4:56:24 PM by mtoudic |
|
| ITI40 | ITI40-020 | reviewed | Not testable |
7
|
3
| | The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a Subject ID attribute. | 144 | Section 3.40.4.1.2 | 9/17/19 4:56:30 PM by mtoudic |
|
| ITI40 | ITI40-029 | reviewed | Not testable |
7
|
3
| | The SAML assertion sent by the X-Service User may contain other statements. | 150 | Section 3.40.4.1.3 | 9/17/19 4:54:41 PM by mtoudic |
|
| ITI40 | ITI40-037 | reviewed | Testable |
0
|
3
| | The X-Service Provider shall place the PurposeOfUse value into the ATNA Audit Message associated with the transaction according to the ATNA Audit Message transaction ITI-20 (see ITI-TF-2a: 3.20.7.3). | 150 | Section 3.40.4.1.2.3.1 | 5/2/19 11:31:13 AM by NicolasBailliet |
|
| ITI40 | ITI40-038 | reviewed | Testable |
0
|
3
| | The X-Service Provider shall validate the X-User Assertion by processing the Web-Services Security header in accordance with the Web-Services Security Standard, and SAML 2.0 Standard processing rules | 150 | Section 3.40.4.1.3 | 5/2/19 11:31:13 AM by NicolasBailliet |
|
| ITI40 | ITI40-039 | reviewed | Testable |
0
|
3
| | If the validation of the X-User assertion performed by the X-Service Provider fails, the actor grouped with the X-Service Provider (ie the one performing the underlying web services transaction), shall return with an error code as described in WS-Security core specification Section 12 (Error Handling, using the SOAP Fault mechanism), | 150 | Section 3.40.4.1.3 | 5/2/19 11:31:13 AM by NicolasBailliet |
|
| ITI40 | ITI40-040 | reviewed | Testable |
0
|
3
| | If the validation of the X-User assertion performed by the X-Service Provider fails, the X-Service Provder shall send an ATNA Audit Message for Authentication Failure. | 150 | Section 3.40.4.1.3 | 5/2/19 11:31:13 AM by NicolasBailliet |
|
| ITI40 | ITI40-049 | reviewed | Testable |
19
|
3
| | When an ATNA Audit message needs to be generated and the user is authenticated by way of an X-User Assertion, the ATNA Audit message UserNameelement shall record the X-User Assertion using the following encoding: alias"<"user"@"issuer">" where:
• alias is the optional string within the SAML Assertion's Subject element SPProvidedID attribute
• user is the required content of the SAML Assertion's Subject element | 151 | Section 3.40.4.2 | 9/11/19 3:59:14 PM by r.hilary |
|
| ITI40 | ITI40-056 | reviewed | Not testable |
0
|
3
| | The SAML assertion sent by the X-Service User may contain an <AttributeStatement> element with a Subject ID attribute. | 148 | Section 3.40.4.1.2.2 | 9/17/19 4:53:29 PM by mtoudic |
|
| XUA | XUA-001 | reviewed | Testable |
26
|
2
| | XUA specifies that when a Cross-Enterprise User Assertion is needed, these Web-Services transactions (ie those based on ITI TF-2x: Appendix V) will additionally use the Web-Services Security header with a SAML 2.0 Token containing the identity Assertion. | 128 | Section 13.2 | 3/8/24 11:03:13 AM by vhofman |
|
| XUA | XUA-004 | reviewed | Testable |
26
|
2
| | X-Service User shall support [ITI-40] | 129 | Section 13.4-1 | 9/30/22 2:34:09 PM by vhofman |
|
| XUA | XUA-012 | reviewed | Testable |
22
|
2
| | The X-Service User shall protect the X-User Assertion. If the system supports ATNA, then TLS meets this requirement. If the system does not support ATNA, then it shall provide another mechanism to protect the X-User Assertion. | 131 | Section 13.6.1 | 9/11/19 3:59:36 PM by r.hilary |
|
| XUA | XUA-014 | reviewed | Testable |
20
|
2
| | The X-Service User shall represent the X-User Assertion in ATNA Audit Messages according the the encoding rules in ITI TF-2b: 3.40.4.2. | 131 | Section 13.6.1 | 9/11/19 3:59:39 PM by r.hilary |
|