[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 RFC 7833

ABFAB                                                         J. Howlett
Internet-Draft                                                 JANET(UK)
Intended status: Informational                                S. Hartman
Expires: September 11, 2011                            Painless Security
                                                          March 10, 2011


                  A RADIUS Attribute for SAML Messages
                      draft-ietf-abfab-aaa-saml-01

Abstract

   This document defines the SAML-Message attribute for use with the
   RADIUS protocol.  This attribute is used for encapsulating Security
   Assertion Mark-up Language (SAML) messages.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 11, 2011.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Howlett & Hartman      Expires September 11, 2011               [Page 1]


Internet-Draft     An AAA Attribute for SAML Messages         March 2011


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  SAML Message Attribute  . . . . . . . . . . . . . . . . . . . . 3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     6.1.  Normative References  . . . . . . . . . . . . . . . . . . . 4
     6.2.  Informative References  . . . . . . . . . . . . . . . . . . 5









































Howlett & Hartman      Expires September 11, 2011               [Page 2]


Internet-Draft     An AAA Attribute for SAML Messages         March 2011


1.  Introduction

   The SAML-Message attribute has motivated by the requirements of the
   ABFAB architecture [I-D.lear-abfab-arch].  In this architecture, the
   attribute is used to convey Security Assertion Mark-up Language
   (SAML) messages between a SAML requester and responder.

   In the SAML model, the composition of such message exchanges with an
   underlying transport protocol is known as a SAML binding.  SAML
   already defines [OASIS.saml-bindings-2.0-os] a number of mainly HTTP-
   based bindings, principally (although by no means exclusively) for
   use with the SAML Web Browser Single Sign-On Profile
   [OASIS.saml-profiles-2.0-os].

   In the ABFAB architecture, AAA-based transport protocols are used to
   convey SAML messages.  This document defines a RADIUS attribute
   required for binding SAML to RADIUS [RFC2865] transport.  A draft
   document [1] exists that describes a proposed binding, but it has not
   yet been submitted to the OASIS Security Services Technical
   Committee.  This is pending conclusions on the following aspects of
   the ABFAB architecture:

   o  The use of the SAML attribute query at some arbitrary time after
      the initial EAP authentication exchange.

   o  The use of the SAML attribute query to obtain attributes for a
      principal from more than one attribute authority.

   o  Alignment with the Diameter ABFAB application
      [I-D.jones-diameter-abfab].

   This attribute is likely to be useful for other purposes besides
   ABFAB; an example of a potential application is SAML-based
   authorisation for network access.

2.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  SAML Message Attribute

   This attribute contains a SAML [OASIS.saml-core-2.0-os] message.
   Where multiple SAML-Message attributes are included in a RADIUS
   message, the Message fields of these attributes are to be
   concatenated to form a single SAML message.




Howlett & Hartman      Expires September 11, 2011               [Page 3]


Internet-Draft     An AAA Attribute for SAML Messages         March 2011


   A summary of the SAML-Message format is shown below.  The fields are
   transmitted from left to right.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |         SAML Message...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                                    Figure 1

   Type:  TBD

   Length:  >=4

   Message:  The Message field is one or more octets containing a SAML
      message.  If larger than a single attribute, the SAML message data
      MUST be split on 253-octet boundaries over as many attributes as
      necessary.  The SAML message is reconstructed by concatenating the
      contents of all SAML-Message attributes.

4.  Security Considerations

   TODO

5.  IANA Considerations

   Assignments of additional enumerated values for the RADIUS attributes
   defined in this document are to be processed as described in
   [RFC3575], subject to the additional requirements of a published
   specification.

6.  References

6.1.  Normative References

   [RFC2119]                     Bradner, S., "Key words for use in RFCs
                                 to Indicate Requirement Levels",
                                 BCP 14, RFC 2119, March 1997.

   [RFC2865]                     Rigney, C., Willens, S., Rubens, A.,
                                 and W. Simpson, "Remote Authentication
                                 Dial In User Service (RADIUS)",
                                 RFC 2865, June 2000.

   [OASIS.saml-core-2.0-os]      Cantor, S., Kemp, J., Philpott, R., and
                                 E. Maler, "Assertions and Protocol for
                                 the OASIS Security Assertion Markup



Howlett & Hartman      Expires September 11, 2011               [Page 4]


Internet-Draft     An AAA Attribute for SAML Messages         March 2011


                                 Language (SAML) V2.0", OASIS
                                 Standard saml-core-2.0-os, March 2005.

   [RFC3575]                     Aboba, B., "IANA Considerations for
                                 RADIUS (Remote Authentication Dial In
                                 User Service)", RFC 3575, July 2003.

6.2.  Informative References

   [I-D.jones-diameter-abfab]    Jones, M. and H. Tschofenig, "The
                                 Diameter 'Application Bridging for
                                 Federated Access Beyond Web (ABFAB)'
                                 Application",
                                 draft-jones-diameter-abfab-00 (work in
                                 progress), March 2011.

   [I-D.lear-abfab-arch]         Howlett, J., Hartman, S., Tschofenig,
                                 H., and E. Lear, "Application Bridging
                                 for Federated Access Beyond Web (ABFAB)
                                 Architecture", draft-lear-abfab-arch-02
                                 (work in progress), March 2011.

   [OASIS.saml-bindings-2.0-os]  Cantor, S., Hirsch, F., Kemp, J.,
                                 Philpott, R., and E. Maler, "Bindings
                                 for the OASIS Security Assertion Markup
                                 Language (SAML) V2.0", OASIS
                                 Standard saml-bindings-2.0-os,
                                 March 2005.

   [OASIS.saml-profiles-2.0-os]  Hughes, J., Cantor, S., Hodges, J.,
                                 Hirsch, F., Mishra, P., Philpott, R.,
                                 and E. Maler, "Profiles for the OASIS
                                 Security Assertion Markup Language
                                 (SAML) V2.0", OASIS
                                 Standard OASIS.saml-profiles-2.0-os,
                                 March 2005.

URIs

   [1]  <http://www.project-moonshot.org/sites/default/files/
        sstc-saml-binding-aaa-draft-00.pdf>










Howlett & Hartman      Expires September 11, 2011               [Page 5]


Internet-Draft     An AAA Attribute for SAML Messages         March 2011


Authors' Addresses

   Josh Howlett
   JANET(UK)
   Lumen House, Library Avenue, Harwell
   Oxford  OX11 0SG
   UK

   Phone: +44 1235 822363
   EMail: Josh.Howlett@ja.net


   Sam Hartman
   Painless Security


   Phone:
   EMail: hartmans-ietf@mit.edu

































Howlett & Hartman      Expires September 11, 2011               [Page 6]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/