IAM Authentication And Federation Service Integration Guide V2.6

User Manual:

Open the PDF directly: View PDF .
Page Count: 50

Download
Open PDF In Browser	View PDF

NATIONAL INFORMATION CENTER

IAM Authentication and
Federation Service
Integration Guide
Version 2.6

Table of Contents
This document describes IAM Authentication and Federation Service, along with the integration plan
and requirements.
0|Page

IAM Authentication and Federation Service Integration Guide

1.

INTRODUCTION .............................................................................................................. 3

2.

AUTHENTICATION AND FEDERATION SERVICE ................................................................. 3
2.1
2.2
2.3

3.

INTEGRATION PLAN ...................................................................................................... 24
3.1
3.2
3.3
3.4

4.

IAM LOGIN SCENARIO ........................................................................................................... 5
IAM LOGOUT SCENARIO ....................................................................................................... 15
AUTHENTICATION PROTOCOL CONSIDERATION .......................................................................... 22

REQUEST IAM SERVICES STEP................................................................................................ 24
APPROVALS & AGREEMENT STEP............................................................................................ 27
TECHNICAL INTEGRATION STEP ............................................................................................... 30
PRODUCTION INTEGRATION FINALIZED..................................................................................... 35

IAM CONTACT INFORMATION....................................................................................... 35

ANNEX A: SAMPLE AUTHENTICATION MESSAGES................................................................. 36
ANNEX B: SAMPLE ENTITY DESCRIPTOR MESSAGE USED DURING IAM CONFIGURATION ...... 39
ANNEX C: FREQUENTLY ASKED QUESTIONS .......................................................................... 40
ANNEX D: NATIONALITY CODES ........................................................................................... 41
ANNEX E: SERVICE PROVIDER INTEGRATION THROUGH PARTNER GUIDELINES ..................... 49

1|Page

IAM Authentication and Federation Service Integration Guide

List of Figures
Figure 1: Different Actor involved in IAM Authentication Service ............................................................... 4
Figure 2: IAM & SP communication. ............................................................................................................. 6
Figure 3: IAM / Service Provider Interactions from User Perspective (Example MoI Portal) ....................... 7
Figure 4: Login Scenario Sequence Diagram ................................................................................................. 8
Figure 5: Single Logout Options .................................................................................................................. 15
Figure 6: User Logout from Service Provider Using SAML2 ........................................................................ 16
Figure 7: User Logout from Service Provider Using Simplified Logout URI ................................................ 17
Figure 8: User Logout Initiated from IAM ................................................................................................... 19
Figure 9: High Level Interaction between SP & IAM - Delegation .............................................................. 23
Figure 10: IAM/SP Staging Integration........................................................................................................ 33
Figure 11: Sample Authentication Request ................................................................................................ 36
Figure 12: Sample Authentication Response .............................................................................................. 37

2|Page

IAM Authentication and Federation Service Integration Guide

1. Introduction
Service providers are launching their services online, manual paper based transactions are substituted
with the digital services. This approach is more economical, and very flexible for the end-users. However,
these benefits come with the difficulty of managing and authenticating users online. User Registration
and validation is a long and tedious phase, which consumes money and effort.

IAM comes to the picture to take away the burden of managing citizen and residents’ digital identity. It is
the Saudi National Identity Provider with solid way of identifying people online with unique digital identity.
IAM has the ability to provide assurance to electronic service providers the identity of the individual
seeking to obtain their services.

This document governs the process of integrating and using IAM services; it is categorized into two
sections for the document purpose:
 Describe the IAM Authentication and Federation Service.
 Describe the integration process business and technical level.

2. Authentication and Federation Service
The authentication and federation allows authenticating end-users online based on service providers
requests. This service does not deal with Authorization. The three actors involved within this service are
illustrated in the diagram below:

3|Page

IAM Authentication and Federation Service Integration Guide

(2) Delegate Login

Service Provider

IAM Service

(4) Respond with User Attributes
(5) Access Resource
(1) Request Protected Resource

(3) Identification,
Authentication &
Validation

Citizen/Residents

Figure 1: Different Actor involved in IAM Authentication Service

The communication between IAM and the Service Provider is not back-2-back and does not need any extra
infrastructure requirements. “Delegate Login/Logout” is just a simple representation of the indirect
communication between IAM & SP; practically the two entities exchange their data through the user
browser.

This service deals the following functionalities:

 User Login:
o

Default Service Provider Authentication Sequence or Explicit Authentication
Sequence

o

Force Authentication: Re-Authenticate the user again even if he was authenticated
before.

o

Authentication Methods


Username Password Authentication



Mobile Authentication



Fingerprint Authentication



Email Authentication



IDCard Validation.
4|Page

IAM Authentication and Federation Service Integration Guide



IDCard PIN Authentication.



Any combination of the above Authentication Methods.

 User Federation
o

Log once into IAM, Access All Service Providers

o

Step Up Authentication

 User Logout
o

Single Logout (SLO): where the user will perform the logout from the one service
provider, and IAM takes care to dispatch the logout request to all service providers

 Manage Multiple Service Provider Resources
o

Different Authentication Policy

o

Force Authentication

o

Step Up Authentication (authentication upgrade)

2.1 IAM Login Scenario
In this scenario, the user is authenticated with his credentials (preconfigured in IAM such as IDCard and
PIN number). The policy of the user authentication is defined as part of the integration process.
The user will have two options to Log In:
 Direct Login: through the Service Provider Login Process
 IAM Login: the user is authenticated and redirected to the Service Provider.
There is no direct communication between the IAM Service Servers and the Service Provider Servers as
depicted below:

5|Page

IAM Authentication and Federation Service Integration Guide

Service Provider Data Center

IAM Service Data Center

Internet

Figure 2: IAM & SP communication.

The communication between IAM Service to Service Provider is performed through the browser using
standard redirects. No direct communication is required. This will make this solution much easier and
practical since there is no impact on the infrastructure on both sides such as leased line, Firewalls rules
changes, … etc.

2.1.1

User-Centric View after Integration

Based on the scenarios described earlier, below illustration of the final view that the user will see (MoI
Portal is stated for the sake of clarity).

6|Page

IAM Authentication and Federation Service Integration Guide

IAM SSO

Login

The user clicks on the
“Login” link on the top of
the SP, Two options are
displayed.

The user chose to
Login with IAM

The user clicks on
“IAM SSO” link to
Go to the list of SPs

The user clicks on
Another service provider …

Welcome 

User Authenticated
& Redirected
to MoI Portal

Figure 3: IAM / Service Provider Interactions from User Perspective (Example MoI Portal)

As part of the user experience, the language in which the page has been displayed must be consistent,
which means that if the portal is displayed in English, IAM Service Login Screen must be in English. This
point will be detailed more in the following section (integration Plan and Requirements).

7|Page

IAM Authentication and Federation Service Integration Guide

The user is able to navigate between the service providers by clicking the link “IAM SSO” which will
redirect him to “IAM Service Providers List”.

2.1.2

Technical Interaction Description

The following diagram depicts the interaction between a Service Provider, IAM system and the user; this
is the technical details of the user-centric interaction illustrated above. The following sequence diagram
illustrates IAM Authentication model:

Service Provider

User, Browser

IAM System

1- User attempts to access Service Provider Resource

2- Checking
local session

3- Requesting Authentication SAML
4- Validate Request
& Checking IAM
session

5- End-2End Authentication

7- Post the SAML Response to the Service Provider through the Browser
8- Validate
AuthResponse &
Extract User Info

6- Build
AuthResponse

9- Presenting the resource to the user

Figure 4: Login Scenario Sequence Diagram

The diagram is described below:
1. The user attempts to access a resource (on the main portal) on the service provider.
2. The service provider checks if the user is authenticated and possess valid local session:
a. If the session exist and valid, the service provider checks if the user is authorized to access
the resource.
b. If the session doesn’t exist, the user is not authenticated and the service provider (if the
default login of the service provider is kept as an option for the user, then the service
provider displays the login page first with two options (direct login to the service provider
and delegate login through IAM); once the user select the IAM Login Option,).
8|Page

IAM Authentication and Federation Service Integration Guide

3. The service provider build a new authentication request, sign it and forwards the user
authentication request to IAM by redirecting to the IAM system for authentication (HTTP
Redirection).
4. IAM system checks if a global session (IAM session) exist:
a. If the session exists go the step 6.
b. If the session doesn’t exist, go the next step.
5. IAM system do End-2-End authentication of the user (the authentication handshake can go
through a lot of steps depending the authentication method to be in place). Once authenticated,
a new IAM AuthSession is created for the user.
6. IAM system build a signed SAML authentication response containing user information
7. IAM system post the response to the service provider through the browser.
8. The service provider validates the authentication response and extracts all user attributes.
a. It is important to store the signed SAML2 response coming from IAM in log files or
database. In addition, it is recommended to log the SAML2 request as well.
b. It is necessary to automatically check that the user has an account within the service
provider repository; if not, the service provider has to treat this as auto-provisioning
request and to do on-the-fly-registration of the user.
9. The service provider will serve the user and displays the requested resource.

User Validation
Implicitly the service validates the user against these controls:
1. Person Death: checks if the person is already dead. So somebody else is trying to use his
card.
2. Person Suspended: the person is suspended.
3. Person Nationality Suspended (residents only): the nationality of the user is blacklisted.
4. Person Iqama Expired (residents only): the iqama has expired.
5. Person Final Exit (residents only): if the resident Iqama has been terminated.

9|Page

IAM Authentication and Federation Service Integration Guide

Specific requirements of validation are subject to discussion and agreement. IAM is able to adapt to the
service provider’s needs (either it is less or more validations needed).

2.1.3

Federated Identity

Federated Identity (sometimes referred to NameID, NameIdentifier or AccountLinking) creates a
persistent association between the IAM account and the service provider account. IAM is meant to be
used on national scale and thus the National ID (Iqama ID) is the federated Id.
In some cases, when the returned NameId returned is random value that should be used for another NIC
service integrated with IAM in back-2-back channel. The NameId in this case is considered as temporary
token for the operation. The validation of the token can be found in the document describing the
service/operation.

2.1.4

Authentication Request Details

The following describe the authentication request of the Service Provider containing the following main
attributes:
a. Identity of the Requester (Service Provider Entity ID)
b. Validation data such as digital signature, timestamp
c. Required Authentication: explicit or implicit, force authentication.

The SAML2 authentication request sent from the service provider to IAM should be similar to:

10 | P a g e

IAM Authentication and Federation Service Integration Guide


nicsp



urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport




The important information that composes an authentication request and the service provider should be
aware of are:


Destination: A URI reference indicating the IAM address to which this request has been
sent. The default value: https://www.iam.gov.sa/samlsso



ProtocolBinding: A URI reference that identifies a SAML protocol binding to be used when
IAM returns the SAML  message



Issuer: The service provider name issuing the authentication request.



NameIDPolicy: IAM will use the National ID as persistent identifier of the user.



AuthnContextClassRef: A URI reference identifying the authentication context class that
describe the authentication context by using the following mapping:

Authentication Methods
(AuthnContextClassRef)
Unspecified
Username/Password
Username/Password
with One Time Password
IDCard

URI
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
use the pre-configured authentication scheme
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
or urn:oasis:names:tc:SAML:2.0:ac:classes:ProtectedPassword
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI

11 | P a g e

IAM Authentication and Federation Service Integration Guide

2.1.5

Authentication Response Details

The following describe the authentication response of IAM along with their main attributes.
1. IAM Identity: Identity of the IAM Authentication Service
2. Message Validity: validation data such as digital signature, timestamp, single use.
3. User Identity: users attributes are listed in the table below:

#

Attribute Name

Type

Description

1

nationalId

String

2

lang

Enum

3

arabicName

String

4

englishName

String

5

dobHijri

Date

6

dob

Date

7

arabicNationality

String

8

nationality

String

9

nationalityCode

String

10

gender

Enum

11

arabicFirstName

String

12

englishFirstName

String

13

arabicFamilyName

String

Arabic Family Name http://iam.gov.sa/claims/arabicFamilyName

14

englishFamilyName

String

English Family Name
http://iam.gov.sa/claims/englishFamilyName

15

arabicFatherName

String

Arabic Father Name http://iam.gov.sa/claims/arabicFatherName

16

englishFatherName

String

17

arabicGrandFatherName

String

18

englishGrandFatherName

String

This is the user identifier represented by the National Id (Resident
Id)
SAML2 NameID or http://iam.gov.sa/claims/userid
For Language Consistency/Preferred Language of the user
(AR/EN) http://iam.gov.sa/claims/lang
Arabic Full Name
http://iam.gov.sa/claims/arabicName
English Full Name
http://iam.gov.sa/claims/englishName
Date Of Birth Hijri
Example: 1487/06/12
http://iam.gov.sa/claims/dobHijri
Date Of Birth Gregorian
Example: Tue Feb 30 03:00:00 AST 1987
http://iam.gov.sa/claims/dob
Arabic Nationality
http://iam.gov.sa/claims/arabicNationality
English Nationality
http://iam.gov.sa/claims/nationality
Nationality code, list of codes are in the Annex D.
http://iam.gov.sa/claims/nationalityCode
Male/Female
http://iam.gov.sa/claims/gender
Arabic First Name
http://iam.gov.sa/claims/arabicFirstName
English First Name
http://iam.gov.sa/claims/englishFirstName

English Father Name
http://iam.gov.sa/claims/englishFatherName
Arabic Grand Father Name
http://iam.gov.sa/claims/arabicGrandFatherName
English Grand Father Name
http://iam.gov.sa/claims/englishGrandFatherName

12 | P a g e

IAM Authentication and Federation Service Integration Guide

String
(Optional)

19

assuranceLevel

20

cardIssueDateGregorian

Date

21

cardIssueDateHijri

Date

22

IssueLocationAr

String

23

IssueLocationEn

String

24

iqamaExpirationDateH

Date

25

iqamaExpirationDateG

Date

Level of Assurance according to the authentication sequence and
the status of the user registration
http://iam.gov.sa/claims/assuranceLevel
Gregorian Saudi Identity Card Issue Date or Iqama Issue Date
Example: Tue Jan 20 03:00:00 AST 2015
http://iam.gov.sa/claims/cardIssueDateGregorian
Hijri Saudi Identity Card Issue Date or Iqama Issue Date
Example: 1436/09/29
http://iam.gov.sa/claims/cardIssueDateHijri
Card Issue Location,
Example: Riyadh
http://iam.gov.sa/claims/issueLocationAr
Card Issue Location,
Example: ‫الرياض‬
http://iam.gov.sa/claims/IssueLocationEn
Hijri Iqama Iqama Expiration Date
Example: 1436/09/29
http://iam.gov.sa/claims/iqamaExpirationDateH
Gregorian Iqama Expiration Date
Example: 2017/09/29
http://iam.gov.sa/claims/iqamaExpirationDateH

Note that the Service will provide extra user attributes upon request by Service Provider Team, compliant
to NIC privacy policy. The users credentials are never sent to the Service Provider in direct or indirect way
(proxy for instance), this includes the username, password, PIN, fingerprints, iris … etc.

The Service Provider (SP) must handle the authentication response messages from IAM using the HTTPPOST. The message returned by the IAM will look like:

13 | P a g e

IAM Authentication and Federation Service Integration Guide


https://www.iam.gov.sa/samlsso


https://www.iam.gov.sa/samlsso

1155512312







urn:oasis:names:tc:SAML:2.0:ac:classes:Password






The service provider verifies the response based on the following:


Destination: A URI reference indicating the SP address to which this response has been sent.



Issuer: The identity provider name issuing the authentication response.



StatusCode: Specifies if the authentication succeed or failed.



Subject: Specifies the user authenticated in IAM.

14 | P a g e

IAM Authentication and Federation Service Integration Guide



AuthnContextClassRef: A URI reference identifying the authentication context class that
describes the authentication context by using the precedent mapping.



IssueInstant & Conditions (NotBefore and NotAfter)



Digital Signature: XML Signature of the response using the IAM certificate.



SessionIndex: linked between the authentication request and response.

In addition, it extracts the user’s attributes included in the authentication response message
(saml:AttributeStatement element). There is no need for extra messages are exchanged for attribute
release; the service provider does not explicitly ask for attributes during the login process.

2.2 IAM Logout Scenario
In this scenario, the user has been authenticated to the first service provider, and has been federated into
another one (or others ones) upon the user’s access request.
The users can logout in two ways:
 By clicking logout from the service provider page.
 By clicking logout on IAM directly.

Service
Provider 2

Service
Provider 1

Service
Provider 2

IAM Authentication
Service

IAM Authentication
Service

Service
Provider 1

Click Logout

Single Logout Triggered From the Service Provider

Single Logout Triggered From the IAM Authentication Service

Figure 5: Single Logout Options

15 | P a g e

IAM Authentication and Federation Service Integration Guide

The requests and responses are very similar to the Login Scenario. In addition, IAM has implemented an
easier way to handle the logout using direct URLs.

2.2.1

Technical Interaction Description

The logout process can be initiated based on two ways:
 User Logout from Service Provider Using SAML2
 User Logout from Service Provider Using Simplified Logout URI

Following detailed description of both forms of logout:
User Logout from Service Provider Using SAML2
The following is the process flow of logout from the service provider based on SAML 2 standard:

Figure 6: User Logout from Service Provider Using SAML2

1. The user chooses to logout from the service provider.
2. Service Provider generates a digitally signed SAML2 Logout Request and redirects to IAM logout
URL “https://www.iam.gov.sa/samlsso”.

16 | P a g e

IAM Authentication and Federation Service Integration Guide

3. IAM validates the SAML Logout Request; then determines, from the current user session, all the
service providers that the user has logged on.
4. IAM terminates its Authentication session.
5. IAM builds a digitally signed SAML Logout Response message;
6. IAM sends back the signed response to the browser along with the list of service providers that
are part of the logout operations.
7. The browser will do the following:
7.1 First, the browser will send logout request to the listed SPs with request parameter
‘slo=false’; each of these SPs terminates its own logon session for the current end user.
7.2 Then, it forwards the Logout Response to the initiating SP.
8. The SP validates IAM SAML2 Logout Response and terminates its local session.
9. The originating SP redirects the user to the public page.

User Logout from Service Provider Using Simplified Logout URI

The following is the process flow of logout from the service provider using simple logout link:

Figure 7: User Logout from Service Provider Using Simplified Logout URI

17 | P a g e

IAM Authentication and Federation Service Integration Guide

1. The user clicks on logout link from the service provider.
2. Service Provider logout the user locally by killing its session then redirects the user to IAM logout
URL for e.g., “https://www.iam.gov.sa/samlsso?slo=true”.
3. IAM validates the current Authentication Session; then determines, from the current user session,
all the service providers that the user has logged on.
4. IAM terminates its Authentication session.
5. IAM sends back the response to the browser along with the list of Service Providers part of the
logout operations.
6. The browser will do the following:
6.1. The browser sends logout request to the listed service providers with request parameter
‘slo=false’; each of these service providers terminates their logon session for the current
end user.
6.2. Then, it forwards the response to the initiating Service Provider.
7. The Service Provider terminates its local session.
8. The originating Service Provider redirects the user to the public page.

User Logout Initiated from IAM

The following is the process flow of logout from IAM (IDP logout):

18 | P a g e

IAM Authentication and Federation Service Integration Guide

Figure 8: User Logout Initiated from IAM

1. The user clicks on the logout link on the IAM.
2. IAM validates the current Authentication Session; then determines, from the current user
session, all the service providers that the user has logged on.
3. IAM terminates its Authentication session.
4. IAM sends back the response to the browser along with the list of Service Providers part of the
logout operations.
5. The browser sends logout request to the listed service providers with request parameter
‘slo=false’; each of these service providers terminates their logon session for the current end
user.
6. Once the user is logged out from all the service providers, the user is taken to the IAM home
page.

2.2.2

Logout Request/Response Details

-

Direct Logout
o INPUT: the URL is https://www.iam.gov.sa/samlsso?slo=true
o OUTPUT: the URL issued to SP is https://serviceprovider.com.sa/logout?slo=false

-

SAML2 Logout Request
19 | P a g e

IAM Authentication and Federation Service Integration Guide

o

INPUT
The logout request sent from the service provider to IAM should be similar to:


https://www.serviceprovider.com.sa/secure/Login
1132077577
s255bf14slkdfj324sg9087dfgd309458xlkdgjd03487



The important information that composes logout request and the service provider
should be aware of are:


Destination: A URI reference indicating the IAM address to which this
request has been sent. The default value “https://www.iam.gov.sa/samlsso”



Issuer: The service provider name issuing the logout request.



NameID: IAM will use the National ID as persistent identifier of the user.



SessionIndex: Session identifier that is sent with authentication response
when SLO is enabled for the service provider.

o

OUTPUT
The Service Provider (SP) must handle the logout response messages IAM using the
HTTP-POST. The message returned by the IAM will look like:

20 | P a g e

IAM Authentication and Federation Service Integration Guide


https://www.iam.gov.sa/samlsso










qsBu2J6Jx6bPB/DeJCj6Z3V0siY=


eJGYy5pz70hlPaMKka7fKMMh+h36hI+qthKkUsYy777B67Hv/dhAr4hXIrYjQ=


MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQY
Dc/E/Wq8uHSCo=








21 | P a g e

IAM Authentication and Federation Service Integration Guide

The service provider verifies the response based on the following:


Destination: A URI reference indicating the SP address to which this response has been sent
to.



Issuer: The identity provider name issuing the logout response.



StatusCode: Specifies if the logout is succeed or failed.



IssueInstant: The timestamp of the response.



Digital Signature: XML Signature of the response using the IAM certificate.

2.3 Authentication Protocol Consideration
For reasons of security and interoperability, «SAML 2.0 Web Browser SSO Deployment Profile» is the only
protocol to be used.

The messages exchanged are signed as a must (encryption is optional). Any non-signed request/response
should be rejected (from IAM/Service Provider). The certificate used by the Service Provider is issued by
IAM Team during Integration. In addition, IAM requires that the service provider uses HTTPS, and will only
send authentication responses to HTTPS-enabled endpoints. The certificate used by the service provider
for signing the authentication requests is issued during the Integration.

IAM will sign the SAML responses or assertion. The service provider must check the signature of incoming
authentication responses to ensure that it is sent from IAM and must handle validation of the message
(Response Signature Valid, Response Issuer Valid, Response Timeframe Valid, Single Use of Response,
Request-Response IDs Matching). These kinds of checks are automatically handled by built-in SAML
Service Provider Platform. Below diagram, illustrate the messages (along with signing/validation) between
service providers and IAM Authentication Service.

22 | P a g e

IAM Authentication and Federation Service Integration Guide

(1) Auth Request
Signed by SP

(4) Validate Response
(Trust INFRA CA)

Service
Provider

IAM
AuthService

(2) Validate Signature
(Trust INFRA CA)

(3) Auth Response
Signed by IAM Service
Figure 9: High Level Interaction between SP & IAM - Delegation

23 | P a g e

IAM Authentication and Federation Service Integration Guide

3. Integration Plan
The following diagram illustrates the integration plan. It is divided into the following steps:

Request IAM Services Step

Approval & Agreement Step
Technical Integration
INT Env. (if possible)
Technical Integration
Staging Env. (if possible)
Technical Integration
PROD Env. Hidden

Production Integration

•Request IAM service through the SP Onboarding Business Process
or by having direct contact with IAM Management

•Meeting between IAM Service Team and SP Team
•Agree on all integration points raised within this document
•Define clearly requirements and develop scheduled action plan
•Integrate IAM INT Env. with SP INT Env.
•Testing Integration and Fixing issues

•Integrate IAM Service QA Env. with SP QA Env.
•Testing Integration and Fixing issues

•Integrate IAM Prod with SP Prod (Keep it Hidden from public)
•Testing Integration and Fixing issues
•Testing on Internet
•Enable IAM Login to public

Finalized

Note: At the end of each step, the integration teams will meet and report the status to IAM/Service
Provider management.
At the end of the integration effort, a report should be submitted to top management, this will make an
end to previous step and launch the next one.

3.1 Request IAM Services Step
The IAM services can be requested in two ways:
Direct communication with IAM management: this is applied especially for government
organization. Nevertheless, an owner has to be selected from the organization to be the point
of contact and coordinator of the integration effort. He has to issue a formal request.

24 | P a g e

IAM Authentication and Federation Service Integration Guide

 The owner (or eligible person) of the company (or business entity) can request IAM services
through https://www.iam.gov.sa/idpinit/ar/sp_onboarding.jsp. This screen will identify the
requester and send his demand to IAM management.
In both cases, the requester has to provide the following Info, the first line is provided as sample:

25 | P a g e

Resource Policy
#

1

Resource
Alias

Description

Sample
Resource

This Sample
Resource will
allow the user
to …

Resource URL

https://www.comp
any.com/resource/s
ample

User
Target

ALL

User
Validation
Registered
or Activated,
Alive or NA,
Inside or
Outside the
country or
NA,

Technology /
Platform

Current
Authentication
Scheme

Estimated
Number of
Transactio
ns

.Net /
WebApp on
IIS

Custom Login
Page Relying on
LDAP

220/400
Per
Minutes

Auth. Policy
IDCard + PIN
OR
Username
Password +
OTP

User Attributes

ALL

Where the:








Resource URL: Service Provider URI, usually it is the main portal page.
User Target: Citizen, Residents (Visitor are not yet handled)
User Policy: Part of users validation Registered or Activated or NA, Alive or NA, Inside or Outside the country or NA,
Authentication Policy (Sequences): Specify Options of any combination of the following IDCard, PIN, UP, Mobile, Email, Fingerprint
Technology: .Net, Java, Python, PHP …
Resource Platform: WebApp on IIS, WebApp IBM WebSphere AppServer, Oracle Portal, IBM Portal, SharePoint, …
Current Authentication Scheme: Windows Integrated Logon, Custom Authentication Front, Custom Backend, Custom Membership
Provider, Third Party SSO Solution, Users Repository
 Estimated Number of Transactions should be given in (Average/ Peak) Per Second or Minutes or Daily … Also, Peak Time
 User Attributes: the user attributes required by the service provider for each listed resource. The list of available attributes is defined
in the service description in section 2.4.
The request goes through IAM Service Provider Onboarding Business Process Approval. The requester will be contacted and the next step can be
carried on.

26 | P a g e

3.2 Approvals & Agreement Step
Once the request has been validated and got first approval, a more detailed discussion can take place.
The main topics of this discussion is to finalize an agreement about all the details, management, business
and technical level.

3.2.1

Management Discussions and Agreement

At the management level, discussions will cover the following points:
 Workshops and Meeting between IAM Service Team and Service Provider Team.
 Agree on all integration points raised within this document.
 Define extra requirements and develop scheduled action plan.
 Agree on the Process of raising Issues/Problems, new requirements or a change request.
 Define roles and responsibilities.
 Agree and Sign a contract by both parties including SLA.

3.2.2

Business & Technical Discussion and Agreement

At the technical level, the discussion will cover the following:

 Service Provider Existent Architecture:
The service provider team will explain the technical architecture and issue, this will serve for better
understanding and planning.
 Service Provider Requirements:
The input here is the table filled by the service provider filled in the previous step:
•

Discuss the resources to protect.

•

Discuss Service Provider user attributes requirements.

•

Discuss the required users’ validation.

•

Discuss the logout processes and requirements.

•

Define Service Provider Policy:
27 | P a g e

IAM Authentication and Federation Service Integration Guide

•

Default Authentication Method Required (Authentication Sequences Allowed)
for desktop and mobile clients,

•

Possibility to specify Authentication Method during the request,

•

Federation Policy,

•

Force Authentication,

 Service Provider Integration
•

Discuss the possibility to do the integration on Integration and Pre-production,

•

Discuss the SAMl2 authentication protocol enablement.

•

Discuss Authentication Request/Response Validations :
•

Digital Signature Validation

•

Timestamp Validation,

•

Login Options and how it will be presented to the User,

•

Discuss the language consistency,

•

Discuss the need for implement the auto-registration (on the fly registration),
•

After authentication in IAM, the user may not exist in the Service Provider
repository. In this case, the service provider has to auto-register the user.

•

The Service Provider should not prompt the user for any information provided as
part of SAML2 request.

•

The service provider should not request the user for any credentials (especially
the password).

•

If the auto-registration of the user needs a password (because of platform or SDK
limitation), the service provider needs to generate the password randomly just
for the purpose of creating the profile and not for authentication purpose. That
password should be random enough to not be used even by system
administrator.

•

Service Provider Identity (Certificate) requirements (usage and storage),

•

Statistics of the SP Portal related to Login
•

Number of daily logins,

•

Number of login peak.

28 | P a g e

IAM Authentication and Federation Service Integration Guide

 Service Provider Portal Platform Readiness,
Based on these discussions and walkthrough the integration guide, IAM and service provider
teams will assess the technical readiness to start the integration especially:

3.2.3

•

Service Providers resources architecture relevant to integration,

•

SAML2 authentication protocol support.

•

Auto-Registration Support.

•

User Identifiers.

Establish Technical Integration Timeline

Once all of these points are agreed, the step ends by establishing the integration timeline and defining
the actions required with clear estimates as preparation to the next step.

#

Owner

1

SP/IAM

Actions
Complete the Technical

Estimate
(Days)
TBD

Readiness of the Service

Description
Implement the identified technical gaps on IAM and the
service provider and follow up to fulfill all pre-requisites.

Provider and IAM
These gaps were identified during the discussion of
requirements and technical integration requirements.
2

IAM

Register the Service Provider

1

in IAM with agreed policy

IAM Team will issue a certificate for the service provider
and then create a profile for it within IAM
More information about the service provider is collected
at this step.

3

SP

Register IAM in Service

2-3

Provider as Identity Provider

The configuration needed is SAML2 Web SSO Post Binding,
All configuration details are listed below.

4

IAM/SP

Testing the Integration

5-10

5

IAM/SP

Get approval to move to

TBD

End-2End-Testing & Fixing Issues.

finalize the integration if it is in production

next environment

29 | P a g e

IAM Authentication and Federation Service Integration Guide

3.3 Technical Integration Step
Applies to INT (if possible),to STAGING (if possible) and Production.

At this step, IAM and the service provider went through the integration guide and several workshops have
taken place covering management, business and technical topics. In addition, IAM and the service
provider have established the timeline to be executed which is the purpose of this phase. The timeline
five items are more explained hereafter:


Complete the Technical Readiness of the Service Provider and IAM.



Register the service provider in IAM with agreed policy.



Service Provider to register IAM as Identity Provider.



Testing the Integration.



Get approval to move to next environment.

3.3.1

Complete the Technical Readiness of the Service Provider and IAM

This step will make sure that the Service Provider has implemented the defined gaps and is technically
ready to use IAM authentication service. This may need a development effort on the Service Provider
side. Even though, it is difficult to cover all gaps but usually the following are highly recurrent:
•

Enable SAML2 authentication protocol in the service provider platform. This depends on the
technology and platform used by the SP. Annex C contains some platform guidelines on how to
enable SAML2.

•

Service Provider default user Identifiers: the SP has to do some changes on the user repository
in case the service provider is not using the national Id (Iqama Id) as an identifier.

•

Implement “On the fly registration application” process: Several use cases need to properly
handled:

•

o

Authenticated user not registered. Prompt user to complete his info.

o

Authenticated user already registered. Information Correct: No action.

o

Information Incorrect: Update the user entry.

Customize the Service Provider login page:
o

Customize the Service Provider Login Page to handle Local Login and IAM Login
(Federated Login).
30 | P a g e

IAM Authentication and Federation Service Integration Guide

•

Implement the Service Provider Logout interceptor: for single logout purpose. The link should
contain slo parameter similar to https://www.sp.gov.sa/logout?slo=[true|false].
o

When the slo is false, the service provider will just logout locally.

o

When the slo is true, the service provider will issue slo request (using either the simplified
way or SAML2 based).

3.3.2

Register the Service Provider in IAM with agreed Policy

IAM team will have all the information required to configure the service provider with the details.
 Resource URL: this is the link to the resource to be protected (ex. login page), usually it is the
portal link.
For Arabic, Example: https://www.sp.gov.sa/resource or https://www.sp.gov.sa
For English, Example: https://www.sp.gov.sa/en/resource or https://www.sp.gov.sa/en
 Service Provider Entity Id: This URL is the name of the Service Provider,
Example: https://www.sp.gov.sa/resource or https://www.sp.gov.sa
 Service Provider Assertion Consumer Service URL: ACS URL if the link to the process that is
initiating the SAML2 Request and Receive the Authentication Response.
Example: https://www.sp.gov.sa/resource/acs or https://www.sp.gov.sa/acs
 Service Provider Logout URL:
Example: https://www.sp.gov.sa/resource/logout or https://www.sp.gov.sa/logout.
 Authentication Methods Options:
Example: username and password with IDCard or username password with one time
password.
 Signing Certificate:
Every Service Provider will have a dedicated certificate used to digitally sign the
authentication requests. IAM will provide a new certificate for the Service Provider based on
the CSR (Certificate Signing Request) coming from the Service Provider. The creation of the
associated RSA keypair should be done at the service provider side. IAM team will guide the
service provider during the certificate issuance process.

31 | P a g e

IAM Authentication and Federation Service Integration Guide

Other information related to the UI is required to finish the configuration:
 Service Provider Name (Alias).
 Login Service Provider Image Arabic and English.
 Login Label Arabic and English.
 Login Description Arabic and English.
The images, labels and descriptions will be displayed to the user to let him know that he is
authenticating for Service Provider.

During non-production integration such as Staging, the Service Provider configuration will be isolated
but can still use IAM default URL.

3.3.3

Register IAM as Identity Provider in Service Provider

The IAM team will provide the IAM Entity Descriptor. For some platforms, this will facilitate the
configuration by just importing this file when configuring the Identity Provider (sample is
provided on Annex B). The Service provider has to register IAM as a default Identity Provider
using the following information:
 Entity ID: https://www.iam.gov.sa/samlsso
 Destination URL: https://www.iam.gov.sa/samlsso
 Protocol: SAML 2 Web SSO Profile: with the following bindings:
•

Request: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT or
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.

•

Response: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

 Service Provider Signing Certificate:
This certificate has been provided in the previous step based on the SP CSR. It will be used to
sign SP authentication requests.
 IAM Certificate: Provided by IAM Support , it is used to validate responses signature coming
from IAM.

32 | P a g e

IAM Authentication and Federation Service Integration Guide

 Certificates Chain: the INFRA CA and the ROOT CA certificate. These two certificates must be
imported into the service provider application keystore and must be trusted. They serve to
validate the SP signing certificate and the IAM certificate.
 Logout URL: https://www.iam.gov.sa/samlsso?slo=true
 SAML2 Logout URL: https://www.iam.gov.sa/samlsso
 Attributes mapping should be configured to map the user attributes coming from IAM to the
repository attribute.
Note that the configuration of SAML2 is platform specific and is out of the scope of this document.

3.3.4

Testing the integration

During staging integration, an isolated SP configuration is created on IAM. The only constraint is that the
user accessing SP staging environment has connection to IAM over internet. IAM Support Team will
provide appropriate configuration. Note that there is no need for direct connectivity to perform the
integration on the Staging environment (neither for production). Following diagram shows the
user/developer/tester accessing both environments (IAM and SP).

SP Staging Env.

IAM Service Data Center

Internet

SP Machine

Figure 10: IAM/SP Staging Integration

33 | P a g e

IAM Authentication and Federation Service Integration Guide

The testing scenario is straightforward by applying the following test cases:

 Normal Login of an SP existent User on the Service Provider through SP Local Login.
Expected Result: Successful Logged-In User to SP without soliciting IAM.
 Normal Login of an IAM registered user having an account in the SP repository.
Expected Result: Successful Login (redirection to IAM and back to the SP), and update of the
existing user profile or create a new one according to the SP policy (to separate IAM profiles
and SP profiles).
 Normal Login of an IAM registered user NOT having an account in the SP repository.
Expected Result: Successful Login on IAM and SP Auto-Registration Screen with user
attributes populated and locked.
 A number of negative tests will be done according to IAM Test Plan.

A complete description of the test scenarios is included in the IAM Integration Checklist.

Important Notes
 The Arabic/English Switch should be consistent for the user. This means that if the user is on the
Arabic page on the portal and wants to login. The Service Provider redirects him to the Arabic
version of IAM Service and vice-versa. The possible values are EN, AR.
The language consistency will be maintained during the authentication. “lang” HTTP attribute will
be sent from the service provider to IAM as part of the Authentication Request (as additional
parameter). The SAML2 response is sent from IAM back to the service provider including the
“lang” as SAML2 attribute.
 Time Synchronization: the requests and responses are subject to number of validation. One of the
validations is “TimeStamping”. The service provider will send the IssueInstant of the request; and
the IAM Service will reply by the NotOnOrAfter timestamp of the response.
If the both sides are NOT IN TIME Sync, there is a risk to reject the requests or the responses.
Although the permissible time span (defaulted to 5 minutes) as difference between request and
response, it is necessary to synchronize the two sides’ servers (servers where the requests are
issued and consumed). Synchronizing with NTP server is recommended.

34 | P a g e

IAM Authentication and Federation Service Integration Guide

3.4 Production Integration Finalized
Once the integration is finalized, a report should be written summarizing all integration efforts and lessons
learned. This document is presented to top management along with the recommendations for the next
integration.
After receiving the integration report, IAM and Service Provider coordinators will agree on the right time
to enable the Login through IAM. The IAM SLA contract will be signed by both parties.

4. IAM Contact Information
For any questions regarding IAM, contact:


Saudi National Digital Identity Operations Manager: Mazen Alqarni (mhqarni@nic.gov.sa).



Saudi National Digital Identity Applications PM: Nawaf AlMutairi (nmmutairi@nic.gov.sa).



Saudi National Digital Identity Program Manager: Naji Algahtani (ngahtani@nic.gov.sa).

The IAM home page is: http://www.iam.gov.sa.

35 | P a g e

IAM Authentication and Federation Service Integration Guide

Annex A: Sample Authentication Messages
The authentication request sent from the service provider to IAM should be similar to:

https://www.iam.gov.sa/samlsso


Figure 11: Sample Authentication Request

The important information that composes an authentication request and the service provider
should be aware of are:


Destination: A URI reference indicating the IAM address to which this request has been
sent. The default value: http://www.iam.gov.sa/samlsso.



ProtocolBinding: A URI reference that identifies a SAML protocol binding to be used when
IAM returns the SAML  message.



Issuer: The service provider name issuing the authentication request.



NameIDPolicy: Specifies the name identifier to be used to represent the requested subject.
If omitted, then IAM will use the National ID of the user.



IssueInstant: Authentication Request Issue Timestamp, used for validating the request by
the IAM Service.

36 | P a g e

IAM Authentication and Federation Service Integration Guide

The authentication response sent from the service provider to IAM should be similar to:
nicidp

nicidp
1234567890



urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI



1234567890


 full
name





The important information that compose an authentication request and the service provider
should be aware of are:

37 | P a g e

IAM Authentication and Federation Service Integration Guide



Destination: A URI reference indicating the SP address to which this response has been sent.



Issuer: The identity provider name issuing the authentication response.



StatusCode: Specifies if the authentication succeed or failed.



Subject: Specifies the user authenticated in IAM.



NotOnOrAfter: Authentication Response Timestamp used to validate the response by the
service provider.



Attributes: containing the information about the user authenticated.

38 | P a g e

IAM Authentication and Federation Service Integration Guide

Annex B: Sample Entity Descriptor Message Used During IAM Configuration
The authentication request sent from the service provider to IAM should be similar to:






BASE 64 IAM Certificate









39 | P a g e

IAM Authentication and Federation Service Integration Guide

Annex C: Frequently Asked Questions

#
What
1 Enable SAML2 as
Authentication Protocol
on the Service Provider

Description
On how enable SAML SSO, check the following:
For IBM Websphere App. Server, version 7:
http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.i
bm.iea.was_v7/was/7.0.0.23/Security/SAML_Web_SSO.pdf
http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?t
opic=/com.ibm.iea.was_v7/was/7.0.0.7/SAML.html
http://www01.ibm.com/support/knowledgecenter/api/content/SSEQTP_7.0.0/com.i
bm.websphere.base.doc/info/aes/ae/twbs_addsamltaisso.html?locale=e
n
For IBM Websphere App. Server, version 8:
http://www01.ibm.com/support/knowledgecenter/#!/SSD28V_8.5.5/com.ibm.webs
phere.nd.doc/ae/twbs_enablesamlsso.html
For ASP.Net Web Applications, the following framework can be used:
https://github.com/KentorIT/authservices
Note that IAM team has an updated version of the KentorIT framework

2

Service Provider
Certificate

Issue “Service Provider AuthRequest Signing Certificate” with the alias
(CN=SP_DI) under InfraCA (from NIC PKI system). The resulting certificate
must be in the Service Provider keystore (stored and used securely).
Note: this certificate will be used to digitally sign the authentication
requests.

3

On The Fly Registration

“On The Fly Registration” is the auto-registration of authenticated IAM
users that are not on the SP repository.

40 | P a g e

IAM Authentication and Federation Service Integration Guide

Annex D: Nationality Codes
Following list of nationality codes:

CODE

Nationality Name Arabic

101

‫االمارات العربية‬

102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

‫االردن‬
‫البحرين‬
‫سوريا‬
‫العراق‬
‫عمان‬
‫فلسطين‬
‫قطر‬
‫الكويت‬
‫لبنان‬
‫اليمن‬
‫اليمن الجنوبي‬
‫العربية السعودية‬
‫السالطين‬-‫يمني جنوبي‬
‫بني حارث‬
‫بدون‬- ‫الكويت‬
‫افراد القبائل‬
‫من سكان البحرين‬
‫قبائل مجاورة للعطفين‬
‫اجنبي بجواز سعودي‬
‫فلسطيني بوثيقة مصرية‬
‫فلسطيني بوثيقةلبناني‬
‫فلسطيني بوثيقةاردنية‬
‫فلسطيني بوثيقةعراقية‬
‫فلسطيني بوثيقة سورية‬
‫وثيقة قطريه‬
‫وثيقة عمانيه‬
‫وثيقة اماراتيه‬
‫وثيقة بحرينيه‬
‫عرب ثمانية وأربعون‬
‫الحليفه‬/‫قبائل نازحة‬
‫ لحج‬- ‫اليمن‬
‫الكويت‬/‫قبائل نازحة‬
‫غير كويتي‬
‫غير بحريني‬
‫غير قطري‬
‫غير اماراتي‬
‫غير عماني‬
‫نازح‬/‫مقيم‬

Nationality Name English

Arab Emirates
Jordan
Bahrain
Syria
Iraq
Oman
Palestine
Country
Kuwait
Lebanon
Yemen
Southern Yemen
Saudi Arabia
Yemeni the sultans
Bani Harith
Kuwait - without
Member of the tribes
Residents of Bahrain
Tribes adj to Ataf
Alien KSA Passprt
Palestinian Egyptian
Palestinian Lebanese
Palestinian Jordan
Palestinian Iraqi
Palestinian Syria
document Syria
The document Omani
The document EMIRIAN
Document Industry
Arabs 48
Tribe/AlHal
Yemen - pilgrimage
Tribes / Kuwait
Unknown
Unknown
Unknown
Unknown
Unknown

41 | P a g e

‫‪IAM Authentication and Federation Service Integration Guide‬‬

‫‪ALSAYAR‬‬
‫‪ALMNAHIL AND ALMAHRH‬‬
‫‪Tunisia‬‬
‫‪Algeria‬‬
‫‪Djibouti‬‬
‫‪Sudan‬‬
‫‪Somalia‬‬
‫‪Libya‬‬
‫‪Egypt‬‬
‫‪Morocco‬‬
‫‪Mauritania‬‬
‫‪Afghanistan‬‬
‫‪Indonesia‬‬
‫‪Iran‬‬
‫‪Pakistan‬‬
‫‪Bangladesh‬‬
‫‪Brunei‬‬
‫‪Myanmar‬‬
‫‪Thailand‬‬
‫‪Turkey‬‬
‫‪Maldives‬‬
‫‪Russia‬‬
‫‪Singapore‬‬
‫‪Sri Lanka‬‬
‫‪China National‬‬
‫‪Philippines‬‬
‫‪Vietnam‬‬
‫‪Cambodia‬‬
‫‪South Korea‬‬
‫‪Malaysia‬‬
‫‪Nepal‬‬
‫‪India‬‬
‫‪HONG KONG‬‬
‫‪Japan‬‬
‫‪Bhutan‬‬
‫‪China‬‬
‫‪Cyprus‬‬
‫‪North Korea‬‬
‫‪Laos‬‬
‫‪Mongolia‬‬
‫‪42 | P a g e‬‬

‫مقيم‪/‬مولود‬
‫مقيم‪/‬طالب جنسية‬
‫مقيم‪/‬أفراد القبائل‬
‫مقيم‪/‬غير معروف‬
‫مقيم‪/‬ال يحمل وثيقة‬
‫قبيلة الصيعر‬
‫المناهيل والمهرة‬
‫تونس‬
‫الجزائر‬
‫جيبوتى‬
‫السودان‬
‫الصومال‬
‫ليبيا‬
‫مصر‬
‫المغرب‬
‫موريتانيا‬
‫افغانستان‬
‫اندونيسيا‬
‫ايران‬
‫باكستان‬
‫بنجالديش‬
‫بروني‬
‫جمهورية ميانمار‬
‫تايلند‬
‫تركيا‬
‫جزر مالديف‬
‫روسيا االتحادية‬
‫سنغافورة‬
‫سري لنكا‬
‫الصين الوطنية‬
‫الفلبين‬
‫فيتنام‬
‫كمبوديا‬
‫كوريا الجنوبية‬
‫ماليزيا‬
‫نيبال‬
‫الهند‬
‫هونج كونج‬
‫اليابان‬
‫بهوتان‬
‫الصين الشعبية‬
‫قبرص‬
‫كوريا الشمالية‬
‫الوس‬
‫منغوليا‬

‫‪140‬‬
‫‪141‬‬
‫‪142‬‬
‫‪143‬‬
‫‪144‬‬
‫‪145‬‬
‫‪146‬‬
‫‪201‬‬
‫‪202‬‬
‫‪203‬‬
‫‪204‬‬
‫‪205‬‬
‫‪206‬‬
‫‪207‬‬
‫‪208‬‬
‫‪209‬‬
‫‪301‬‬
‫‪302‬‬
‫‪303‬‬
‫‪304‬‬
‫‪305‬‬
‫‪306‬‬
‫‪307‬‬
‫‪308‬‬
‫‪309‬‬
‫‪310‬‬
‫‪311‬‬
‫‪312‬‬
‫‪313‬‬
‫‪314‬‬
‫‪315‬‬
‫‪316‬‬
‫‪317‬‬
‫‪318‬‬
‫‪319‬‬
‫‪320‬‬
‫‪321‬‬
‫‪322‬‬
‫‪323‬‬
‫‪324‬‬
‫‪325‬‬
‫‪326‬‬
‫‪328‬‬
‫‪329‬‬
‫‪330‬‬

IAM Authentication and Federation Service Integration Guide

331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421

‫ماكاو‬
‫تركستان‬
‫مقيم بلوشي‬
‫بخارستان‬
‫القبائل النازحة‬
‫كازاخستان‬
‫ازبكستان‬
‫تركمانستان‬
‫طاجكستان‬
‫قرغيزستان‬
‫سقطرة‬
‫مهرة‬
‫اذربيجان‬
‫الشاشان‬
‫داغستان‬
‫انقوش‬
‫تتارستان‬
‫مكررلقرغيزيا اليستخدم‬
‫تيمور الشرقية‬
‫مقيم‬
‫مقيم‬/‫ميانمار‬
‫جواز باكستان‬/‫ميانمار‬
‫جوازبنجال دش‬/‫ميانمار‬
‫اثيوبيا‬
‫اوغندة‬
‫بوتسوانا‬
‫بورندي‬
‫تشاد‬
‫تنزانيا‬
‫توجو‬
‫جابون‬
‫غامبيا‬
‫جزر القمر‬
‫جنوب افريقيا‬
‫ناميبيا‬
‫بنين‬
‫رواندا‬
‫زمبابوي‬
‫زائير‬
‫زامبيا‬
‫ساحل العاج‬
‫السنغال‬
‫سيراليون‬
‫غانا‬

Macao
Turkistan
NULL
Bucharest
Tribes emigrated
Kazakhstan
Uzbekistan
Turkmenistan
Tajikistan
kyrgyzstan
Socotra
Muhrah
Azerbaijan
Chechnya
Dagestan
Anquosh
Tatarstan
Kyrgyzstan not used
East Timor
Resident
NULL
Ethiopia
Uganda
Botswana
Burundi
Chad
Tanzania
Togo
Answer
Gambia
Comoros
South Africa
Namibia
Benin
Rwanda
Zimbabwe
Zaire
Zambia
Ivory Coast
Senegal
Sierra Leone
Ghana
43 | P a g e

IAM Authentication and Federation Service Integration Guide

422
423
424
425
426
427
428
429
430
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
501
502
503
504
505
506
507
508
509
510
511

‫غينيا‬
‫غينيابيساو‬
‫بوركينافاسو‬
‫الكاميرون‬
‫الكونغو‬
‫كينيا‬
‫ليسوتو‬
‫ليبيريا‬
‫مالي‬
‫مالوي‬
‫موريشيوس‬
‫موزمبيق‬
‫نيجيريا‬
‫النيجر‬
‫افريقيا الوسطى‬
‫انجوال‬
‫الراس االخضر‬
‫غينيا االستوائية‬
‫مالجاسي‬
‫برنسبى‬/‫ساوتومي‬
‫جزر سيشل‬
‫سوزيالند‬
‫بوفثاتسوانا‬
‫رينيون‬
‫ترانسكي‬
‫فيندا‬
‫ارتيريا‬
‫دول افريقية اخري‬
‫سانت هيالنة‬
‫جزيرةمايوت‬
‫جمهورية جنوب السودان‬
‫كاب فيرد‬
‫اسبانيا‬
‫البانيا‬
‫المانيا‬
‫ايرلندا‬
‫ايطاليا‬
‫المملكة المتحدة‬
‫البرتغال‬
‫بلغاريا‬
‫بلجيكا‬
‫بولندا‬
‫رمزقديم تشكوسلوفاكيا‬

512

‫الدانمارك‬

Guinea
Guinea Bissau
Burkina Faso
Cameroon
Congo
Kenya
Lesotho
Liberia
Mali
Malawi
Mauritius
Mozambique
Nigeria
Niger
Central Africa
Angola
Cape Verde
Equatorial Guinea
Mlajasi
Sao Tome/FranceBank
Seychelles Islands
Swaziland
Bovthatswana
Reunion
Transkei
Venda
Eritrea
Other African States
Saint Helena
Comorian island
Republic of South
CAPE VERDE
Spain
Albania
Germany
Ireland
Italy
United Kingdom
Portugal
Bulgaria
Belgium
Poland
old to Czechoslovak
Denmark
44 | P a g e

IAM Authentication and Federation Service Integration Guide

513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
536
537
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
601
602
603

‫رومانيا‬
‫السويد‬
‫سويسرا‬
‫فرنسا‬
‫فنلندا‬
‫صربيا‬
‫هولندا‬
‫يوغسالفيا‬
‫اليونان‬
‫اندورا‬
‫النمسا‬
‫الجبل األ سود‬
‫هنغاريا‬
‫ايسلندا‬
‫ليختنشتين‬
‫لوكسمبورغ‬
‫مالطا‬
‫موناكو‬
‫النرويج‬
‫سان مورينو‬
‫مدينة الفاتيكان‬
‫جبل طارق‬
‫اوكرانيا‬
‫روسيا البيضاء‬
‫ارمينيا‬
‫مولدافيا‬
‫جورجيا‬
‫ليتوانيا‬
‫استونيا‬
‫التفيا‬
‫البوسنة والهرسك‬
‫كرواتيا‬
‫سلوفينيا‬
‫صربيا والجبل األسود‬
‫مقدونيا‬
‫كوسوفوا‬
‫رمزقديم للجبل االسود‬
‫تشيك‬
‫سلوفاكيا‬
‫جزر فيرو‬
‫ميتروبوليتان فرنسية‬
‫الواليات المتحدة‬
‫االرجنتين‬
‫بربادوس‬

Romania
Sweden
Switzerland
France
Finland
SERBIA
Netherlands
Yugoslavia
Greece
Andorra
Austria
MONTENEGRO
Hungary
Iceland
Liechtenstein
Luxembourg
Malta
Monaco
Norway
San Moreno
Vatican City
Gibraltar
Ukraine
Byelorussia
Armenia
Moldova
Georgia
Lithuania
Estonia
Latvia
Bosnia / Herzegovina
Croatia
Slovenia
Serbia / Montenegro
Macedonia
Kosovo
code to Montenegro
CZECH REPUBLIC
Slovakia
Faroe Islands
FRANCE METROPOLITAN
United States
Argentina
Barbados
45 | P a g e

IAM Authentication and Federation Service Integration Guide

604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643

‫البرازيل‬
‫بنما‬
‫ترينداد وتوباجو‬
‫جامايكا‬
‫جوانا‬
‫فنزويال‬
‫كندا‬
‫كولمبيا‬
‫جزر البهاما‬
‫كوستاريكا‬
‫كوبا‬
‫دومينيكا‬
‫جمهورية دمينكان‬
‫السلفادور‬
‫جرانادا‬
‫جواتيماال‬
‫هايتي‬
‫هوندوراس‬
‫المكسيك‬
‫نيكاراجوا‬
‫سانت لوسيا‬
‫سان فينسنت‬
‫بوليفيا‬
‫شيلي‬
‫اكوادور‬
‫باراجواي‬
‫بيرو‬
‫سورينام‬
‫اوراجواي‬
‫س بييري وميكويلن‬
‫جرينالند‬
‫بيليز‬
‫بيرمودا‬
‫ج الترك والقوقاز‬
‫سان كريستوفرنيفز‬
‫انجويال‬
‫انتيكوا‬
‫ج فيرجن البريطانية‬
‫جزر كايمون‬
‫مونت سيرات‬

644

‫جيودي لوب‬

645
646
647

‫مارتينيكو‬
‫عروبا‬
‫بونيري‬

Brazil
Panama
Trinidad and Tobago
Jamaica
Joanna
Venezuela
Canada
Columbia
Bahamas
Costa Rica
Cuba
Dominica
Republic Dominica
El Salvador
Granada
Guatemala
Haiti
Honduras
Mexico
Nicaragua
Saint Lucia
Saintt Vincent
Bolivia
Chile
Ecuador
Paraguay
Peru
Suriname
Orajoa
Saint Pierre Miquel
Greenland
Belize
Bermda
Turk/Caucasus Island
San Cristovernivz
Anguilla
Antiques
British Virgin
Cayman Islands
Monte Sirat
Gyude Lube
Martinico
Arabism
Bonaire
46 | P a g e

IAM Authentication and Federation Service Integration Guide

648
649
650
651
652
653
654
655
656
657
659
660
661

‫كيوراكو‬
‫سان استاتيوس‬
‫سابا‬
‫سان مارتين‬
‫بورتوريكو‬
‫ج فيرجن االمريكية‬
‫جزر فاكالند‬
‫جيانا الفرنسية‬
‫االمم المتحدة‬
‫جزر كوك‬
‫باربودا‬
‫انتيل الهولندية‬
‫جزر كوكوس‬

Curako
San Astatios
Saba
San Martin
Puerto Rico
Virgin Islands of US
Falkland Islands
French Guyana
United Nations
Cook Islands
Barbuda
NETHERLANDS ANTILLES
COCOS ISLAND

662
663
664
701
702
703
704
705
706
707
708
709

‫البريطانية في المحيط‬
‫سانت كيتس ونافيس‬
‫جنوب جورجيا‬
‫استراليا‬
‫نيوزيلندا‬
‫بابوا نيوغينا‬
‫نيو‬
‫انتاركتيكا‬
‫جزر نورفولك‬
‫توكيالو‬
‫جزيرةكريسماس‬
‫كيلنج‬-‫جزيرةكوكو‬

BRITISH INDIAN OCEAN
SAINT KITTS & NEVIS
SOUTH GEORGIA
Australia
New Zealand
Papua yoga
New
Antarctica
Norfolk Island
Tokelau
Christmas Island
koko Island- Kellenj

710
711
712

‫فرنسا الجنوب القطبية‬
‫جزيرة هيرد وماكدونلد‬
‫جزر بيتكايرن‬

FRENCH SOUTH
HEARD DONALD ISLANDS
PITCAIRN ISLANDS

801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816

‫جزر فيجي‬
‫كيريباتي‬
‫نورو‬
‫جزر سليمان‬
‫تونجا‬
‫توفالو‬
‫فانيوتو‬
‫ساموا الغربية‬
‫ساموا االمريكية‬
‫جوام‬
‫جزر ماريانا‬
‫ميكرونيسيا‬
‫جزر ماريشال‬
‫بيلو‬
‫بولينيسياالفرنسية‬
‫جزر والس وفوتونا‬

Fiji Islands
Kiribati
Nauru
Solomon Islands
Tonga
Tuvalu
Vanuoto
Western Samoa
American Samoa
Guam
Mariana Islands
Micronesia
Marechal Islands
Belo
French Polynesia
Islands Wallis
47 | P a g e

IAM Authentication and Federation Service Integration Guide

817
818
819
820
821
822
823
824
825

‫كاليدونيا الجديد‬
‫مدغشقر‬
‫قبيلة بالعبيد‬
‫قبيلة النسي‬
‫قبائل مجاورة للعبر‬
‫قبيلة الحرث‬
‫قبيلة نهد‬
‫جزر مينور‬
‫ االشاجعة‬- ‫مقيم اجنبي‬

New Caledonia
Madagascar
Balobid
NULL
TRIBES ADJACENT
NULL
NULL
US MINOR ISLANDS
NULL

826
900
901

‫ العدوان‬- ‫مقيم اجنبي‬
‫غير معروف‬
‫اخرى‬

NULL
Unknown
OTHER

48 | P a g e

IAM Authentication and Federation Service Integration Guide

Annex E: Service Provider Integration through Partner Guidelines
 Regular Audit on the partner system will be conducted by IAM Team.
 The partner should send the service provider URL (issuer or entityId) within the Audience
attribute as part of the authentication request.
 The partner should comply with the integration guide.
 Service Providers Integrated with the partner should use a certificate issued from NIC PKI.
 The partner must digitally sign the response coming from IAM before send it to service provider.
The certificate used for signing the response is the same certificate used for signing the request,
and it should be issued from NIC PKI.
 The partner should store request/response coming/going to service provider for at least one
year.
 Any integration with a new service provider should be in coordination of IAM.
 Authentication responses are sent to specific service provider (identified by audience) through
the partner and cannot be re-used for another one.
 The federation/SSO should be handled by IAM and not by the partner. This is to make sure that
the federation policy within is not compromised.
 The partner is responsible for validation using the IAM Service Provider Checklist of the
integration and regular audits with service providers. IAM Team may participate in this activity.

49 | P a g e



---

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 50
Language                        : en-US
Tagged PDF                      : Yes
Title                           : IAM Authentication and Federation Service Integration Guide
Author                          : HAKIM SEBSSI
Subject                         : Integration Guide
Creator                         : Microsoft® Word 2013
Create Date                     : 2018:08:02 15:06:42+03:00
Modify Date                     : 2018:08:02 15:06:42+03:00
Producer                        : Microsoft® Word 2013

EXIF Metadata provided by EXIF.tools