Conformance

Copy Markdown View Source

Generated from executable manifest state in priv/conformance/sp_manifest.json and priv/security_corpus.json.

Requirement Summary

Requirementpassrejectunsupporteddeferredtotal
CONF-01842115
  • CVE-REG-01 fixtures pinned: 7
  • Families covered: xxe, signature_wrapping, CVE-2024-45409

CONF-01 SP Conformance Coverage

Scopestatusprofilerulebindingprovenancenotes
sp-authn-request-buildpassoasis-saml2-coreSAMLCore-3.4.1urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirecthttps://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf / 3.4.1SP can build AuthnRequest fields deterministically with a fixed clock.
sp-authn-request-redirect-transportpassoasis-saml2-bindingsSAMLBindings-3.4.4.1urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirecthttps://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf / 3.4.4.1Redirect transport emits base64 request bytes and RelayState without live services.
sp-post-response-decodepassoasis-saml2-bindingsSAMLBindings-3.5.4urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf / 3.5.4HTTP-POST receipt decodes a base64 SAMLResponse deterministically.
sp-response-consume-passpasskantara-saml2intsaml2int-respondurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://kantarainitiative.org/wp-content/uploads/2019/12/SAML-V2.0-Deployment-Profile-for-Federation-Interoperability-Version-2.0.pdf / 6SP accepts a signed response when issuer, destination, audience, recipient, and time checks align.
sp-response-destination-rejectrejectoasis-saml2-coreSAMLCore-3.2.2.2urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf / 3.2.2.2Destination mismatch must fail closed with a typed rejection.
sp-response-audience-rejectrejectoasis-saml2-coreSAMLCore-2.5.1.4urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf / 2.5.1.4Audience restriction must match the SP entity ID.
sp-response-recipient-rejectrejectoasis-saml2-coreSAMLCore-2.4.1.2urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf / 2.4.1.2SubjectConfirmationData recipient must resolve to the ACS URL.
sp-response-time-rejectrejectoasis-saml2-coreSAMLCore-2.5.1.2urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf / 2.5.1.2NotBefore outside the configured skew window must fail closed.
sp-idp-initiated-acceptpasskantara-saml2intsaml2int-idp-initiatedurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://kantarainitiative.org/wp-content/uploads/2019/12/SAML-V2.0-Deployment-Profile-for-Federation-Interoperability-Version-2.0.pdf / 8IdP-initiated acceptance is explicit and only passes when the connection opts in.
sp-logout-request-buildpassoasis-saml2-profilesSAMLProfiles-4.4.4.1urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirecthttps://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf / 4.4.4.1SLO request generation added in Phase 24 remains executable and deterministic.
sp-logout-request-redirect-transportpassoasis-saml2-bindingsSAMLBindings-3.4.4.1urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirecthttps://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf / 3.4.4.1SLO request transport uses the same Redirect envelope as login initiation.
sp-logout-response-redirect-decodepassoasis-saml2-bindingsSAMLBindings-3.4.4.1urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirecthttps://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf / 3.4.4.1Redirect decoding must continue to accept either SAMLRequest or SAMLResponse payload keys after Phase 24.
sp-artifact-binding-unsupportedunsupportedoasis-saml2-bindingsSAMLBindings-3.6urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifacthttps://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf / 3.6Artifact binding is not implemented in the shipped SP surface and remains explicitly out of coverage.
sp-encrypted-assertions-deferreddeferredoasis-saml2-coreSAMLCore-2.3.4urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf / 2.3.4Encrypted assertion handling is not claimed by this deterministic ExUnit lane yet.
sp-ecp-profile-unsupportedunsupportedoasis-saml2-profilesSAMLProfiles-4.2urn:oasis:names:tc:SAML:2.0:bindings:SOAPhttps://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf / 4.2Enhanced Client or Proxy profile support is not part of the current SP roadmap surface.

CVE-REG-01 Regression Coverage

Fixturefamilyclassexpected rejectionprovenancenotes
xxe-doctype-001xxexxe_entity_abusedoctype_forbiddenOWASP SAML Security Cheat Sheet / ported-fixtureDOCTYPE declarations must be rejected before parser trust is established.
xxe-entity-001xxexxe_entity_abuseentity_expansion_forbiddenOWASP SAML Security Cheat Sheet / ported-fixtureENTITY declarations must be refused at the XML seam.
xsw-duplicate-id-001signature_wrappingsignature_wrappingduplicate_xml_idHistorical XSW regression corpus / ported-fixtureDuplicate assertion IDs model classic XSW signed-node confusion.
xsw-ambiguous-assertion-001signature_wrappingsignature_wrappingambiguous_signed_nodeHistorical XSW regression corpus / ported-fixtureMultiple signed-node candidates must never collapse to a silent success.
c14n-differential-001signature_wrappingparser_differential_and_c14ncanonicalization_failedPureBeam seam regression corpus / ported-fixtureThe current pure-BEAM seam must keep failing closed when canonicalization inputs are incomplete.
cve-2024-45409-keyinfo-001CVE-2024-45409cve_2024_45409untrusted_certificateruby-saml GHSA-jw9c-mfg7-9rx2 / ported-fixtureDocument-provided KeyInfo must never become a trust anchor.
cve-2024-45409-duplicate-id-001CVE-2024-45409cve_2024_45409duplicate_xml_idCVE-2024-45409 / ruby-saml advisory lineage / ported-fixturePinned duplicate-ID variant covers signed-node selection bypasses in the CVE family.