FINRA Single Sign-On Technical Requirements
On This Page
Responsibilities
Firm or Identity Provider (IdP)
- The Identity Provider is responsible for ensuring accurate identification of participating Authorized Users as FINRA will rely upon this information for identity verification. This includes:
- Employment of Multi-Factor Authentication.
- Disabling invalid Authorized Users
- The Identity Provider is responsible for testing and ensuring integration works as expected and for participating in future testing as required.
FINRA or Service Provider
- FINRA will provide a lead time of six (6) months to meet new security requirements, including but not limited to encryption standards, or protocols.
Integration Requirements
Certificate Handling
- Certificates must be rotated annually in order to maintain an acceptable level of security. FINRA will provide at a minimum 1 month notification on required certificate changes.
Supported Protocol
- SAML2
IdP Entity Id
- Must be unique within FINRA.
Email Domain
- The Identity Provider must provide FINRA with the information required to associate Identity Provider email domain(s) with Identity Provider entity id. This is required to link the email address the Authorized User enters in the FINRA login application to Identity Providers email domain which determines which Identity Provider to use.
- An Email domain(s) can be associated with only one Identity Provider.
Authentication Flow
- Identity Provider initiated login flow is not supported.
SAML2 Details
SP Metadata
- To be provided by FINRA
NameId Format
- SAML response must contain NameId with format as urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Bindings
- Authn Request – urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
- Authn Response – urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Attributes
Attribute name | Required or not | Description |
|---|---|---|
userId | Mandatory | Possible values: Valid Email Address. Default value: N/A
userId uniquely identifies user on the IDP side. Every time user logs in, same value must be passed from IDP to SP each time. |
caseSensitive | Optional | Possible values: true/false. Default value: false.
Determines if IDP user id is case sensitive or not. For example, email is case insensitive whereas some usernames can be case sensitive. |
SP Message Algorithms
Here are the default algorithms used by the Service Provider. If IDP intend to use different algorithm, inform the Service Provider for evaluation.
Algorithm Category | Accepted Algorithm |
|---|---|
XML canonicalization algorithm | i18n:famFederationCommon#http://www.w3.org/2001/10/xml-exc-c14n# |
XML signature algorithm | i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
XML digest algorithm | i18n:famFederationCommon#http://www.w3.org/2001/04/xmlenc#sha256 |
XML transformation algorithm | i18n:famFederationCommon#http://www.w3.org/2001/10/xml-exc-c14n# |
Mask Generation Function Algorithm | i18n:famFederationCommon#http://www.w3.org/2009/xmlenc11#mgf1sha256 |
AES Key Wrap Algorithm | http://www.w3.org/2001/04/xmlenc#kw-aes256 |
RSA Key Transport Algorithm | http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p |
Query String signature algorithm (RSA) | i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
Query String signature algorithm (DSA) | i18n:famFederationCommon#http://www.w3.org/2009/xmldsig11#dsa-sha256 |
Query String signature algorithm (EC) | i18n:famFederationCommon#http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 |
Glossary
SAML 2.0 - Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authentication and authorization identities between security domains.
Firm or Identity Provider (IdP) - An identity provider (IdP) is a service that stores and manages digital identities.
FINRA or Service Provider (SP) - A SAML service provider is a system entity that receives and accepts authentication assertions in conjunction with a single sign-on profile of the Security Assertion Markup Language (SAML).
Identity Provider (IdP) Entity ID - An Entity ID is a globally unique name for a SAML entity, i.e., Identity Provider (IdP) or Service Provider (SP).
Service Provider (SP) Meta Data - SAML metadata is an XML document which contains information necessary for interaction with SAML-enabled identity or service providers. The document contains URLs of endpoints, information about supported bindings, identifiers and public keys.