Technical Implementation Specifications

The following article lists the technical requirements that are either supported or not supported by the iMIS SSO, with regards to the respective OpenID Connect and SAML protocol specifications and RFCs.

OpenID Connect

SSO Initiations

Supported:

  • RP-initiated Sign On

Not Supported:

  • IdP-initiated Sign On (Not defined by the OpenID Connect specification)

OAuth Flow Types

Supported:

  • Authorization Code
  • Authorization Code with PKCE extension
  • Implicit
  • ROPC / Password (Public and Confidential)

Not Supported:

  • Hybrid Flow
  • Client Credentials (SSO is only performed within user context, not for accessing an API, so no need for client credentials)
  • Device Code

Important!

Certain grant types, such as ROPC and Implicit, are less secure (by design). These modes can be considered "legacy". It is recommended that these modes not be enabled unless your connected apps / third parties specifically require them.

In the upcoming (currently in draft) OAuth 2.1 specification, ROPC and Implicit mode have been removed from the specification due to their weak security.

JWT Signing Algorithms

Supported:

  • HS512 (Private shared symmetric key)
  • RS256
  • RS512

Not Supported:

  • Elliptic Curve (ECDSA)
  • Probabilistic Signature Scheme (RSASSA-PSS)

Note: When HS512 is selected, the JWKS endpoint does not advertise the signing key, as the key is intended for use as a private shared key between the first- and third-parties. The JWKS endpoint returns an empty string (Base64: "AA") for the key value in this mode.

OpenID Connect Endpoints

Supported:

  • Discovery Endpoint (via well-known URL)
  • Authorization
  • Token Exchange
  • UserInfo
  • Token Introspection
  • Token Revocation
  • RP-initiated Logout (DRAFT status)

Not Supported:

  • Dynamic Registration
  • Front-channel Logout
  • Back-channel Logout

OAuth2 Scope Values

Supported:

  • openid
  • profile

Note: Due to the limited nature of the iMIS REST API, we are unable to support any iMIS API-related scopes. Our tokens are therefore only used to verify the identity of a user, not for that user to then access protected resources via an API using their token.

Auth Methods

Supported:

  • Client Secret POST
  • Client Secret Basic

Subject Types

Supported:

  • Public

Response Mode

Supported:

  • Query

Not Supported:

  • Fragment
  • Form Post

Response Types

Supported:

  • Code (code)
  • Token (token)
  • ID Token (token id_token)

Note: Not all combinations are supported in all scenarios. For example, you cannot request a token / id_token unless the Implicit Flow setting is enabled.

SAML 2.0

Overall SAML Featureset / Protocols

Supported:

  • Authentication Request
  • Single Logout Protocol

Not Supported:

  • Assertion Query and Request Protocol
  • Artifact Resolution Protocol
  • Name Identifier Management Protocol
  • Name Identifier Mapping Protocol

SSO Initiation

Supported:

  • SP-initiated Login
  • IdP-initiated Login

Note:

IdP-initiated login presents a number of security challenges. It is supported by the iMIS SSO, but should only be used when SP-initiated login is not supported.

Additionally, there is currently no "landing page" feature in the Cloud Dashboard where users can browse for a list of applications they would like to sign into (much like an intranet site homepage). You will need to take your IdP-initiated sign-in link from the iMIS SSO admin console and place it somewhere on your own website.

Bindings

Supported:

  • HTTP POST
  • HTTP Redirect

Not Supported:

  • HTTP Artifact
  • SAML SOAP
  • POAS / Reverse SOAP
  • SAML URI

NameID Formats

Supported:

  • Unspecified (iMIS username or iMIS ID) (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified)
  • Email (Contact's primary e-mail address) (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
  • Persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)
  • Transient (urn:oasis:names:tc:SAML:2.0:nameid-format:transient)

Not Supported:

  • X.509 Subject Name
  • Windows Domain Qualified Name
  • Kerberos
  • Entity

Attribute Formats

Supported:

  • Basic
  • URI (If IQA column name is prefixed with urn:oid:)

Not Supported:

  • Unspecified

Condition Types

Supported:

  • Not Before
  • Not On Or After
  • Audience Restriction

Not Supported:

  • One Time Use
  • Proxy Restriction

Subject Confirmation Methods

Supported:

  • Bearer

Not Supported:

  • Holder-of-Key
  • Sender Vouches

AuthN Context Class Refs

Note: At this time, because users are required to input their iMIS passwords at some point during authentication, and HTTPS is enforced, the only AuthN context class ref supported is Password Protected Transport.

Important! Due to limitations with the iMIS REST API, we are unable to support iMIS installations where 2FA/MFA is enabled at this time.

Supported:

  • Password Protected Transport (urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)

Not Supported:

  • Authenticated Telephony
  • Internet Protocol
  • Internet Protocol Password
  • Kerberos
  • Mobile One Factor Contract
  • Mobile One Factor Unregistered
  • Mobile Two Factor Contract
  • Mobile Two Factor Unregistered
  • Nomad Telephony
  • Password
  • Personal Telephony
  • PGP
  • Previous Session
  • Secure Remote Password
  • Smartcard
  • Smartcard PKI
  • Software PKI
  • SPKI
  • Telephony
  • Time Sync Token
  • TLS Client
  • Unspecified
  • X.509
  • Xml DSig