--- title: Supported standards description: AM implements the following RFCs, Internet-Drafts, and standards: component: pingam version: 8.1 page_id: pingam:am-reference:am-supported-standards canonical_url: https://docs.pingidentity.com/pingam/8.1/am-reference/am-supported-standards.html keywords: ["Standards", "Federation", "SAML 2.0", "OAuth 2.0", "OpenID Connect (OIDC)"] page_aliases: ["reference:am-supported-standards.adoc"] --- # Supported standards AM implements the following RFCs, Internet-Drafts, and standards: > **Collapse: Open Authentication** > > [RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm](https://www.rfc-editor.org/info/rfc4226), supported by the OATH authentication nodes. > > [RFC 6238: TOTP: Time-Based One-Time Password Algorithm](https://www.rfc-editor.org/info/rfc6238), supported by the OATH authentication nodes. > > For more information, refer to [Open Authentication](https://en.wikipedia.org/wiki/Initiative_for_Open_Authentication). > **Collapse: OAuth 2.0** > > [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/info/rfc6749) > > [RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/info/rfc6750) > > [RFC 7009: OAuth 2.0 Token Revocation](https://www.rfc-editor.org/info/rfc7009) > > [RFC 7515: JSON Web Signature (JWS)](https://www.rfc-editor.org/info/rfc7515) > > [RFC 7516: JSON Web Encryption (JWE)](https://www.rfc-editor.org/info/rfc7516) > > [RFC 7517: JSON Web Key (JWK)](https://www.rfc-editor.org/info/rfc7517) > > [RFC 7518: JSON Web Algorithms (JWA)](https://www.rfc-editor.org/info/rfc7518) > > [RFC 7519: JSON Web Token (JWT)](https://www.rfc-editor.org/info/rfc7519) > > [RFC 7522: Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://www.rfc-editor.org/info/rfc7522) > > [RFC 7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://www.rfc-editor.org/info/rfc7523) > > [RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol](https://www.rfc-editor.org/info/rfc7591) > > [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/info/rfc7636) > > [RFC 7662: OAuth 2.0 Token Introspection](https://www.rfc-editor.org/info/rfc7662) > > [RFC 7800: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)](https://www.rfc-editor.org/info/rfc7800) > > [RFC 8628: OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/info/rfc8628) > > [RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/info/rfc8705) > > [RFC 7592: OAuth 2.0 Dynamic Client Registration Management Protocol](https://www.rfc-editor.org/info/rfc7592) > > [Internet Draft: JWT Response for OAuth Token Introspection](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-introspection-response-03) > > [RFC 8693: OAuth 2.0 Token Exchange](https://www.rfc-editor.org/info/rfc8693) (Access token to access token, access token to ID token, ID token to ID token, and ID token to access token) > > [RFC 9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)](https://www.rfc-editor.org/info/rfc9101) > > [RFC 9126: OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/info/rfc9126) > > For more information, see [OAuth 2.0](https://oauth.net/2/) > **Collapse: OpenID Connect 1.0** > > [OpenID Connect Core 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-core-1_0.html). > > In section 5.6 of this specification, AM supports *Normal Claims*. AM does not support the optional *Aggregated Claims* and *Distributed Claims* representations. > > [OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) > > AM applies the guidelines suggested by the OpenID [Financial-grade API (FAPI) Working Group](https://openid.net/wg/fapi/) to the implementation of CIBA, which shapes the support of CIBA in AM. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | | Implementation Decisions Applying to CIBA Support in AM- AM only supports the CIBA "poll" mode, not the "push" or "ping" modes. > > - AM requires use of confidential clients for CIBA. > > - AM requires use of signed JSON-web tokens (JWT) to pass parameters, using one of the following algorithms: > > * `ES256` - ECDSA with SHA-256 and NIST standard P-256 elliptic curve. > > * `PS256` - RSASSA-PSS using SHA-256.Plain JSON or form parameters for CIBA-related data is not supported. | > > [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) > > [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) > > [OpenID Connect Session Management 1.0 Draft 10](https://openid.net/specs/openid-connect-session-1_0-10.html) > > [OAuth 2.0 Multiple Response Type Encoding Practices](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html) > > [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) > > [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm-wd-01.html) > > [OpenID Connect Back-Channel Logout 1.0 Draft 06](https://openid.net/specs/openid-connect-backchannel-1_0.html). > > AM currently only supports backchannel logout when acting as the provider. > > For more information, see: > > * [OpenID Connect 1.0](http://openid.net/connect/) > > * [OpenID Connect Basic Client Implementer's Guide 1.0](https://openid.net/specs/openid-connect-basic-1_0.html) > > * [OpenID Connect Implicit Client Implementer's Guide 1.0](https://openid.net/specs/openid-connect-implicit-1_0.html) > **Collapse: User-Managed Access (UMA) 2.0** > > [User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization](https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-08.html) > > [Federated Authorization for User-Managed Access (UMA) 2.0](https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-08.html) > **Collapse: Security Assertion Markup Language (SAML) and Federation-related standards** > > AM supports SAML 2.0, although WS-Federation functionality still creates assertions in SAML v1.x format. > > SAML Specifications are available from the [OASIS standards page](https://www.oasis-open.org/standards/). > > [Web Services Federation Language (WS-Federation)](https://en.wikipedia.org/wiki/WS-Federation) > > [Web Services Description Language (WSDL)](https://www.w3.org/TR/wsdl/) > > [eXtensible Access Control Markup Language (XACML)](https://wiki.oasis-open.org/xacml) > > For more information, see [Security Assertion Markup Language (SAML)](http://saml.xml.org/) > **Collapse: Encryption and signatures** > > Assertion encryption: > > [aes128-cbc](http://www.w3.org/2001/04/xmlenc#aes128-cbc)\ > [aes192-cbc](http://www.w3.org/2001/04/xmlenc#aes192-cbc)\ > [aes256-cbc](http://www.w3.org/2001/04/xmlenc#aes256-cbc)\ > [tripledes-cbc](http://www.w3.org/2001/04/xmlenc#tripledes-cbc) > > Assertion signatures: > > [rsa-sha1](http://www.w3.org/2000/09/xmldsig#rsa-sha1)\ > [rsa-sha256](http://www.w3.org/2001/04/xmldsig-more#rsa-sha256)\ > [rsa-sha384](http://www.w3.org/2001/04/xmldsig-more#rsa-sha384)\ > [rsa-sha512](http://www.w3.org/2001/04/xmldsig-more#rsa-sha512) > > Query string signatures: > > [rsa-sha1](http://www.w3.org/2000/09/xmldsig#rsa-sha1)\ > [rsa-sha256](http://www.w3.org/2001/04/xmldsig-more#rsa-sha256)\ > [rsa-sha384](http://www.w3.org/2001/04/xmldsig-more#rsa-sha384)\ > [rsa-sha512](http://www.w3.org/2001/04/xmldsig-more#rsa-sha512)\ > [ecdsa-sha1](http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1)\ > [ecdsa-sha256](http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256)\ > [ecdsa-sha384](http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384)\ > [ecdsa-sha512](http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512) > > [RFC 2898: PKCS #5: Password-Based Cryptography Specification Version 2.0](https://www.rfc-editor.org/info/rfc2898) > > [RFC 3394: Advanced Encryption Standard (AES) Key Wrap Algorithm](https://www.rfc-editor.org/info/rfc3394) > > [RFC 7518: JSON Web Algorithms (JWA)](https://www.rfc-editor.org/info/rfc7518) > > [Federal Information Processing Standard (FIPS) "Security Requirements for Cryptographic Modules"](https://www.nist.gov/publications/security-requirements-cryptographic-modules-includes-change-notices-1232002) > **Collapse: Other standards** > > [REST](https://en.wikipedia.org/wiki/REST) > > [Simple Object Access Protocol (SOAP)](http://www.w3.org/TR/soap/) > > [Recommendation E.146](https://www.itu.int/rec/T-REC-E.164/en), concerning Mobile Subscriber ISDN Numbers (MSISDN), supported for authentication. > > [RFC 2616: Hypertext Transfer Protocol — HTTP/1.1](https://www.rfc-editor.org/info/rfc2616). > > [RFC 2617: HTTP Authentication: Basic and Digest Access Authentication](https://www.rfc-editor.org/info/rfc2617), supported for authentication. > > [RFC 2865: Remote Authentication Dial In User Service (RADIUS)](https://www.rfc-editor.org/info/rfc2865), supported as an AM service. > > [RFC 4510: Lightweight Directory Access Protocol (LDAP)](https://www.rfc-editor.org/info/rfc4510), for authentication and when accessing datastores. > > [RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile](https://www.rfc-editor.org/info/rfc5280), supported for certificate-based authentication. > > [RFC 5646: Tags for Identifying Languages](https://www.rfc-editor.org/info/rfc5646). > > [RFC 5785: Defining Well-Known Uniform Resource Identifiers (URIs)](https://www.rfc-editor.org/info/rfc5785). > > [RFC 6265: HTTP State Management Mechanism](https://www.rfc-editor.org/info/rfc6265) regarding HTTP Cookies and `Set-Cookie` header fields. > > [RFC 7239: Forwarded HTTP Extension](https://www.rfc-editor.org/info/rfc7239). > > [Internet-Draft: Password Policy for LDAP Directories](https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-09) (draft 09).