In general, it can be expected that SAML v2.0 products and libraries conform with the mandatory requirements of the OASIS SAML v2.0 standard(external link). The New Zealand Security Assertion and Messaging Standard (NZSAMS) was published in 2008, and although this is occasionally still referenced, it is not directly useful for the purpose of integrating with the RealMe® services.
The RealMe Login Service Messaging Specification and the RealMe Assertion Service Messaging Specification, however, specify a narrower and more prescriptive set of requirements. There are aspects of SAML v2.0 interoperability that the OASIS SAML v2.0 standard does not specify, and the RealMe specification documents address this by defining the use of parameters and values that apply in the RealMe context.
For purposes of procurement or new SAML component development, agencies should refer to the RealMe documents which should simplify the determination of specific requirements in the New Zealand context.
As the majority of integrations use products or code libraries that comply with the OASIS SAML v2.0 standard, developers should focus on the RealMe requirements that differ in some way from the OASIS Standard or have additional NZ specific constraints.
Refer to the following list of the key RealMe SAML message request parameters that are discussed and ordered to highlight the ones that are most likely to need close attention.
https://www.example.govt.nz/customerservices/first-application
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength
urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength
urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Token:SID
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceIndex="0"
Destination="https://mts.login.realme.govt.nz/4af8e0e0-497b-4f52-805c-00fa09b50c16/B2C_1A_DIA_RealMe_MTSLoginService/samlp/sso/login"
ID="a958a20e059c26d1cfb73163b1a6c4f9"
IssueInstant="2021-05-21T00:39:32Z"
Version="2.0">
<saml:Issuer>www.sample-client.co.nz/onlineservices/service1</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
</samlp:NameIDPolicy>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
https://www.example.govt.nz/customerservices/first-application
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceIndex="0"
Destination="https://mts.login.realme.govt.nz/4af8e0e0-497b-4f52-805c-00fa09b50c16/B2C_1A_DIA_RealMe_MTSLoginService/samlp/sso/login"
ID="a958a20e059c26d1cfb73163b1a6c4f9"
IssueInstant="2021-05-21T00:39:32Z"
Version="2.0">
<saml:Issuer>www.sample-client.co.nz/onlineservices/service1</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
</samlp:NameIDPolicy>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>