Roles and Responsibilities for ADFS Relying Party Trust Request
The following table outlines the roles and responsibilities for an ADFS Relying Party Trust Request.
Roles and Responsibilities for ADFS Relying Party Trust Request |
|||||
| Key: X = Signifies who needs this key piece of information. <-> = Signifies who is responsible for providing this information. The underlined text and asterick * signifies whether this is a required piece of information. |
|||||
| # | Piece of Information | Requesting Party Application/ System Owner |
Responsibility | DOI/OCIO | Details |
| 1 | *Does the application support RP (Relying Party) user sign on? | X |
|
Can the end user go to the application directly first? | |
| 2 | Metadata | X |
|
X | Both parties should exchange metadata, if it exists. |
| 3 | *SAML 2.0 | X |
|
Requesting Parties Application must support SAML 2.0. | |
| 4 | *ADFS Login URL | X |
|
X | The Requesting Party must provide the ADFS login URL. |
| 5 | *RP (Relying Party) Identifier | X |
|
The Requesting Party must provide the RP identifier. | |
| 6 | *SAML 2.0 Request Signing Cert | X |
|
Requesting Party must provide a SAML 2.0 signing cert. | |
| 7 | Authentication Type |
X |
|
X | Needs to be discussed by both parties depending on the nature of the application. |
| 8 | *Authorization | X |
|
The application must provide the authorization. | |
| 9 | *Claims | X |
|
The Requesting Party must provide the claims and claim types that are required. | |
| 10 | *Token Encryption Cert | X |
|
The Requesting Party application owner must provide a token encryption certificate, if required. | |
| 11 | *Consumer Token End Point | X |
|
The Requesting Party application owner must provide which URL to post the token back to. | |
| 12 | *ADFS Identifier |
|
X | DOI/OCIO provides the federated partner with the ADFS identifier. | |
| 13 | *Token Signing Cert | X |
|
The DOI provides a secure signing certificate for each federated partner included in the metadata when taken back from the identity provider. | |
| 14 | *Secure Hash Algorithm (SHA256) |
X |
|
The Requesting Party must use Secure Hash Algorithm (SHA256). | |
| 15 | Relay State | X |
|
The Requesting Party must say if they need Relay State Support. | |
| 16 | *ADFS Logout URL | X |
|
The application needs to know how to properly log out. | |
| 17 | *Provide an SSP (System Security Plan) |
X |
|
Requesting Party should obtain this information from their Security team. | |
| 18 | *Provide a PIA (Privacy Impact Assessment) |
X |
|
Requesting Party should obtain this information from their Privacy team. | |
| 19 | *Provide an ATO (Authorization to Operate) | X |
|
Requesting Party should provide the ATO. | |
| 20 | *Complete required Security and Privacy documentation ADFS Risk Assessment Questionnaire. | X |
|
The requesting party is responsible for providing completing a Security ADFS Risk Assessment questionnaire that will be provided by the Identity Provider. | |
