SAML is a secure protocol, which supports encryption and message signing. In addition, the HTTP communication security between the SP and the IDP is ensured by using SSL
(TLS v1.1 or higher).
All ID.me SAML messages are digitally signed. This includes all requests, assertions and metadata. The XML signature is contained within the
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_67016ed111db-4bce-b065-45bcd564cd0e"
Version="2.0"
IssueInstant="2015-02-04T22:30:48Z"
Destination="..."
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_6a12a9ef28696226601602f669545e7ebb1c80d19a">
<saml:Issuer>api.id.me</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>...</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>...</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion ID="_d20913189703-4b8b-97f4-c96ef7b1dccd" Version="2.0" IssueInstant="2015-02- 04T22:30:46Z">...</saml:Assertion>
</samlp:Response>
ID.me requires all SAML assertions to be encrypted. This ensures the privacy of any confidential data contained within the response transmission. The encrypted assertion is contained within the
ID.me supports using AES-128, AES-192 and AES-256 as message encryption algorithms.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_46965880a3f0-461b-bc99-5ba262e812b3"
Version="2.0"
IssueInstant="2015-02-04T22:46:25Z"
Destination="..."
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_8bf72df7b4922883b1adad99926a0293c6e135b6da">
<saml:Issuer>idp-staging.idmeinc.net</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:EncryptedAssertion>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_43a44a93ad36-4616-
b1e6-2a96d4f3134c" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_78c2d92d0c46-4820-b8f0-52698580d7c9">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>
</samlp:Response>