An error occurred:

Check: SRG-APP-000975-API-001665

Application Programming Interface (API) SRG: SRG-APP-000975-API-001665 (in version v1 r1)

Title

Generating assertions must be restricted. (Cat II impact)

Discussion

An API may be required to generate assertions when it plays a role in authentication, authorization, or secure data exchange. In protocols like SAML or OpenID Connect, assertions are essential because they serve as trusted claims about a user's identity, permissions, or session status. These assertions, often in the form of tokens like SAML assertions or JWTs, allow different systems to communicate securely and trust the integrity of the transmitted information. By generating assertions, an API ensures that only authenticated users can access protected resources, and that the data exchanged is verifiable and tamper-proof.

Check Content

Review the API's authentication and authorization mechanisms. Ensure that the assertions are generated using the correct identity source's identity provider (IdP). Verify the API adheres to the defined authentication standards to ensure only authenticated and authorized entities can generate assertions. Check the assertions include necessary identity information (e.g., user ID, roles, and claims) and are signed or encrypted. Verify the generation process is compliant with any guidelines regarding assertion lifetime, scope, and audience. Review system logs to confirm the API is correctly implementing the authentication policies and generating assertions only after successful identity verification. Consult the organization's identity management documentation and compare it to the API's implementation to ensure full alignment with the defined policies. If the API is not generating assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix Text

Build or configure the API to generate assertions in accordance with organization-defined identification and authentication policy.

Additional Identifiers

Rule ID: SV-274841r1143884_rule

Vulnerability ID: V-274841

Group Title: SRG-APP-000975

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.
CCI-005158

Assertions are generated in accordance with organization-defined identification and authentication policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings
IA-13(3)

Token Management