FINRA Single Sign-On Eligibility Criteria and Technical Requirements

Eligibility Criteria

You must be a firm or other type of organization approved by FINRA for SSO Services.
When requesting SSO Services, you must have an active Super Account Administrator (SAA), or Certification Representative (CREP) if you are an organization other than a firm.
All accounts (i.e., SAA, AAs and users) must have an Active status meaning the account cannot be disabled or locked out.
Access to CAT/CAIS systems are not permitted to use SSO.
Organizations are required to complete an annual FINRA Entitlement Account Certification of all Active accounts.
Must have a process for reporting a suspected security breach or incident to notify FINRA within 24 hours.
Must follow and meet all current and new Technical Requirements and requirements outlined in the SSO Services Terms of Use.

Responsibilities

Firm or Identity Provider (IdP)

The Identity Provider is responsible for adhering to all policies and compliance standards set by regulators, jurisdictions, and state laws. This includes, but is not limited to:
- The FBI’s Criminal Justice Information Services (CJIS) Security Policy and mandates established by the Securities and Exchange Commission (SEC).
  - In accordance with CJIS security policy and SEC compliance standards, text messages and phone calls are not permitted as multi-factor authentication (MFA) options.
The Identity Provider is responsible for testing and ensuring integration works as expected and for participating in future testing as required.

FINRA or Service Provider

FINRA will provide a lead time of six (6) months to meet new security requirements, including but not limited to encryption standards, or protocols.

Integration Requirements

Certificate Handling

Certificates must be rotated annually in order to maintain an acceptable level of security. FINRA will provide at a minimum 1 month notification on required certificate changes.

Supported Protocol

SAML2

IdP Entity Id

Must be unique within FINRA.

Email Domain

The Identity Provider must provide FINRA with the information required to associate Identity Provider email domain(s), and Organization ID(s) with Identity Provider entity id. This is required to link the email address the Authorized User enters in the FINRA login application to Identity Providers email domain, and Organization ID(s).
An Email domain(s) can be associated with only one Identity Provider.

Authentication Flow

Identity Provider initiated login flow is not supported.

SAML2 Details

SP Metadata

To be provided by FINRA

NameId Format

SAML response must contain NameId with format as urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Bindings

Authn Request – urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Authn Response – urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Attributes

Attribute name	Required or not	Description
userId	Mandatory	Values: Valid Email Address. Default value: N/A userId uniquely identifies user on the IDP side. Every time user logs in, same value must be passed from IDP to SP each time.
caseSensitive	Optional	Possible values: true/false. Default value: false. Determines if IDP user id is case sensitive or not. For example, email is case insensitive whereas some usernames can be case sensitive.

Attribute name

Required or not

Description

userId

Mandatory

Values: Valid Email Address.

Default value: N/A

userId uniquely identifies user on the IDP side. Every time user logs in, same value must be passed from IDP to SP each time.

caseSensitive

Optional

Possible values: true/false.

Default value: false.

Determines if IDP user id is case sensitive or not. For example, email is case insensitive whereas some usernames can be case sensitive.

SP Message Algorithms

Here are the default algorithms used by the Service Provider. If IDP intend to use different algorithm, inform the Service Provider for evaluation.

Algorithm Category	Accepted Algorithm
XML canonicalization algorithm	i18n:famFederationCommon#http://www.w3.org/2001/10/xml-exc-c14n#
XML signature algorithm	i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
XML digest algorithm	i18n:famFederationCommon#http://www.w3.org/2001/04/xmlenc#sha256
XML transformation algorithm	i18n:famFederationCommon#http://www.w3.org/2001/10/xml-exc-c14n#
Mask Generation Function Algorithm	i18n:famFederationCommon#http://www.w3.org/2009/xmlenc11#mgf1sha256
AES Key Wrap Algorithm	http://www.w3.org/2001/04/xmlenc#kw-aes256
RSA Key Transport Algorithm	http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
Query String signature algorithm (RSA)	i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Query String signature algorithm (DSA)	i18n:famFederationCommon#http://www.w3.org/2009/xmldsig11#dsa-sha256
Query String signature algorithm (EC)	i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512

Glossary

SAML 2.0 - Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authentication and authorization identities between security domains.

Firm or Identity Provider (IdP) - An identity provider (IdP) is a service that stores and manages digital identities.

FINRA or Service Provider (SP) - A SAML service provider is a system entity that receives and accepts authentication assertions in conjunction with a single sign-on profile of the Security Assertion Markup Language (SAML).

Identity Provider (IdP) Entity ID - An Entity ID is a globally unique name for a SAML entity, i.e., Identity Provider (IdP) or Service Provider (SP).

Service Provider (SP) Meta Data - SAML metadata is an XML document which contains information necessary for interaction with SAML-enabled identity or service providers. The document contains URLs of endpoints, information about supported bindings, identifiers and public keys.