We have a SAML architecture where we (as the service provider/RP), allow the user to authenticate using their Microsoft account. The assertion is digitally signed by Microsoft (FAL1) and we have an encryption option as well (FAL2). According to NIST (https://pages.nist.gov/800-63-3/sp800-63-3.html),
FAL3: FAL3 requires the subscriber to present proof of possession of a cryptographic key referenced in the assertion along with the assertion itself. The assertion must be signed using approved cryptography and encrypted to the RP using approved cryptography.
What would be an example of such a cryptographic key? In particular, how would I get azure's assertion to reference said key?
As per https://pages.nist.gov/800-63-3/sp800-63c.html#holderofkey,
I'm not familiar with Azure AD. Presumably there would be a way to pull public key from the user's record and include that as a custom claim in the authentication assertion. Similarly, for symmetric keys, presumably there would be a way to retrieve the symmetric key from the user record, and then specify fingerprint or keyID as a custom claim in the authentication assertion.
I'd start by looking here https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims or here https://learn.microsoft.com/en-us/azure/active-directory/develop/saml-claims-customization