FICAM Backend Attribute Exchange (BAE) v2 specifications have reached RC status and are available for public review, one of the questions that is sometimes asked is for a comparison between the BAE v2 SAML Profile(s) (Identifier and Protocol Profile and Metadata Profile), and the OASIS X.509 Attribute Sharing Profile (sometimes called XASP).

" /> FICAM Backend Attribute Exchange (BAE) v2 specifications have reached RC status and are available for public review, one of the questions that is sometimes asked is for a comparison between the BAE v2 SAML Profile(s) (Identifier and Protocol Profile and Metadata Profile), and the OASIS X.509 Attribute Sharing Profile (sometimes called XASP).

" /> FICAM Backend Attribute Exchange (BAE) v2 specifications have reached RC status and are available for public review, one of the questions that is sometimes asked is for a comparison between the BAE v2 SAML Profile(s) (Identifier and Protocol Profile and Metadata Profile), and the OASIS X.509 Attribute Sharing Profile (sometimes called XASP).

" />
Anil John
Making Digital Services Secure and Trustworthy

Anil John

Comparing BAE v2 SAML Profile(s) and OASIS XASP

 Tweet  Share  Share  Comment  Print  Email

Now that the FICAM Backend Attribute Exchange (BAE) v2 specifications have reached RC status and are available for public review, one of the questions that is sometimes asked is for a comparison between the BAE v2 SAML Profile(s) (Identifier and Protocol Profile and Metadata Profile), and the OASIS X.509 Attribute Sharing Profile (sometimes called XASP).

BAE Profile of SAML 2 OASIS XASP
(Encrypted Mode)
Supported NameID Format(s)
urn:oasis:names:tc:SAML:1.1:
nameid-format:X509SubjectName

urn:idmanagement.gov:icam:bae:v2:
SAML:2.0:nameid-format:fasc-n

urn:idmanagement.gov:icam:bae:v2:
SAML:2.0:nameid-format:uuid

(Communities may define their own)
urn:oasis:names:tc:SAML:1.1:
nameid-format:
x509SubjectName
SSL/TLS
MUST - Over an SSL Channel

MAY - Use SSL/TLS Client Authentication
MUST – Over an SSL Channel

MAY - Use SSL/TLS Client Authentication
Digital Signature
MUST - samlp:AttributeQuery

MUST - saml:Assertion

MUST - soap:Body
MUST - samlp:AttributeQuery

MUST - saml:Assertion

MUST - samlp:Response
Encryption
MAY - saml:NameID [Per Metadata]

MUST - saml:Assertion
MUST - saml:NameID

MUST - saml:Assertion
EntityID, Issuer, Destination
MUST - Naming convention based on NIST SP800-87 Agency Codes for PIV, AKI and Org Name for PIV-I and Community defined for other credential types
?
Metadata
MUST - Per Profile
MAY - ?
Trust Anchor CA
MUST – EGTS CA (for issuance of Signing and Encryption certificates in the FICAM environment). May use own CA within a community.
?

There are some additional differences in the Attribute Exchange Design patterns that are supported by the two profiles (See Sections 3 & 4 of the BAE v2 Overview for more information).


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone