draft-ietf-kitten-sasl-saml-01.txt   draft-ietf-kitten-sasl-saml-02.txt 
Network Working Group K. Wierenga Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear Intended status: Standards Track E. Lear
Expires: April 25, 2011 Cisco Systems GmbH Expires: August 29, 2011 Cisco Systems GmbH
S. Josefsson S. Josefsson
SJD AB SJD AB
October 22, 2010 February 25, 2011
A SASL and GSS-API Mechanism for SAML A SASL and GSS-API Mechanism for SAML
draft-ietf-kitten-sasl-saml-01.txt draft-ietf-kitten-sasl-saml-02.txt
Abstract Abstract
Security Assertion Markup Language (SAML) has found its usage on the Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to generalize Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API. Identity Providers with applications using SASL and GSS-API.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2011. This Internet-Draft will expire on August 29, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 6, line 43 skipping to change at page 6, line 43
SASL mechanism, the IdP must remain untouched. The RP already has SASL mechanism, the IdP must remain untouched. The RP already has
some sort of session (probably a TCP connection) established with the some sort of session (probably a TCP connection) established with the
client. However, it may be necessary to redirect a SASL client to client. However, it may be necessary to redirect a SASL client to
another application or handler. This will be discussed below. The another application or handler. This will be discussed below. The
steps are shown from below: steps are shown from below:
1. The Relying Party or SASL server advertises support for the SASL 1. The Relying Party or SASL server advertises support for the SASL
SAML20 mechanism to the client SAML20 mechanism to the client
2. The client initiates a SASL authentication with SAML20 and sends 2. The client initiates a SASL authentication with SAML20 and sends
an IdP identity a domain
3. The Relying Party transmits an authentication request encoded 3. The Relying Party transmits an authentication request encoded
using a Universal Resource Identifier (URI) as described in RFC using a Universal Resource Identifier (URI) as described in RFC
3986 [RFC3986] and a redirect to the IdP 3986 [RFC3986] and a redirect to the IdP corresponding to the
domain
4. The SASL client now sends an empty response, as authentication 4. The SASL client now sends an empty response, as authentication
continues via the normal SAML flow. continues via the normal SAML flow.
5. At this point the SASL client MUST construct a URL containing the 5. At this point the SASL client MUST construct a URL containing the
content received in the previous message from the RP. This URL content received in the previous message from the RP. This URL
is transmitted to the IdP either by the SASL client application is transmitted to the IdP either by the SASL client application
or an appropriate handler, such as a browser. or an appropriate handler, such as a browser.
6. Next the client authenticates to the IdP. The manner in which 6. Next the client authenticates to the IdP. The manner in which
skipping to change at page 9, line 27 skipping to change at page 9, line 27
session initiation, it displays the name "SAML20" in the list of session initiation, it displays the name "SAML20" in the list of
supported SASL mechanisms. supported SASL mechanisms.
4.2. Initiation 4.2. Initiation
A client initiates a "SAML20" authentication with SASL by sending the A client initiates a "SAML20" authentication with SASL by sending the
GS2 header followed by the authentication identifier. The GS2 header GS2 header followed by the authentication identifier. The GS2 header
carries the optional authorization identity. carries the optional authorization identity.
initial-response = gs2-header Idp-Identifier initial-response = gs2-header Idp-Identifier
IdP-Identifier = Identifier ; IdP identifier IdP-Identifier = domain ; domain name with corresponding IdP
Identifier = URI ; IdP URI
The "gs2-header" is specified in [RFC5801], and it is used as The "gs2-header" is specified in [RFC5801], and it is used as
follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the
channel binding "gs2-cb-flag" field, see Section 5. The "gs2- channel binding "gs2-cb-flag" field, see Section 5. The "gs2-
authzid" carries the optional authorization identity. URI is authzid" carries the optional authorization identity. Domain name is
specified in [RFC3986]. specified in [RFC1035].
4.3. Server Redirect 4.3. Server Redirect
The SASL Server transmits a URI to the IdP that the user provided, The SASL Server transmits a URI to the IdP that corresponds to the
with a SAML authentication request in the form of a SAML assertion as domain the user provided, with a SAML authentication request in the
one of the parameters. form of a SAML assertion as one of the parameters. Note: The SASL
server may have a static mapping of domain to corresponding IdP or
alternatively a DNS-lookup mechanism could be envisioned, but that is
out-of-scope for this document
redirect-url = URI redirect-url = URI
As before, URI is specified in [RFC3986]. As before, URI is specified in [RFC3986].
4.4. Client Empty Response and other 4.4. Client Empty Response and other
The SASL client hands the URI it received from the server in the The SASL client hands the URI it received from the server in the
previous step to either a browser or other appropriate handler to previous step to either a browser or other appropriate handler to
continue authentication externally while sending an empty response to continue authentication externally while sending an empty response to
skipping to change at page 13, line 38 skipping to change at page 13, line 38
<stream:features> <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism> <mechanism>DIGEST-MD5</mechanism>
<mechanism>PLAIN</mechanism> <mechanism>PLAIN</mechanism>
<mechanism>SAML20</mechanism> <mechanism>SAML20</mechanism>
</mechanisms> </mechanisms>
</stream:features> </stream:features>
Step 4: Client selects an authentication mechanism and provides the Step 4: Client selects an authentication mechanism and provides the
initial client response: initial client response containing the BASE64 [RFC4648] encoded gs2-
header and domain:
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'> <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'>
n,,https://saml.example.org</auth> biwsZXhhbXBsZS5vcmc</auth>
Step 5: Server sends a BASE64 [RFC4648] encoded challenge to client The decoded string is: n,,example.org
in the form of an HTTP Redirect to the SAML IdP with the SAML Step 5: Server sends a BASE64 encoded challenge to client in the form
Authentication Request as specified in the redirection url: of an HTTP Redirect to the SAML IdP corresponding to example.org
(https://saml.example.org) with the SAML Authentication Request as
specified in the redirection url:
aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx
dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli
M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U
QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5 QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5
dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5 dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5
TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE
UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy
TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx
skipping to change at page 19, line 16 skipping to change at page 19, line 16
C: . CAPABILITY C: . CAPABILITY
S: * CAPABILITY IMAP4rev1 STARTTLS S: * CAPABILITY IMAP4rev1 STARTTLS
S: . OK CAPABILITY Completed S: . OK CAPABILITY Completed
C: . STARTTLS C: . STARTTLS
S: . OK Begin TLS negotiation now S: . OK Begin TLS negotiation now
C: . CAPABILITY C: . CAPABILITY
S: * CAPABILITY IMAP4rev1 AUTH=SAML20 S: * CAPABILITY IMAP4rev1 AUTH=SAML20
S: . OK CAPABILITY Completed S: . OK CAPABILITY Completed
C: . AUTHENTICATE SAML20 C: . AUTHENTICATE SAML20
S: + S: +
C: biwsaHR0cHM6Ly9zYW1sLmV4YW1wbGUub3Jn C: biwsZXhhbXBsZS5vcmc
S: + aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx S: + aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx
dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli
M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U
QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5 QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5
dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5 dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5
TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE
UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy
TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx
TU9qSXVNRHBpYVc1a2FXNW5jenBJVkZSUUxWQlBVMVFpRFFvZ0lDQWdRWE56 TU9qSXVNRHBpYVc1a2FXNW5jenBJVkZSUUxWQlBVMVFpRFFvZ0lDQWdRWE56
skipping to change at page 22, line 27 skipping to change at page 22, line 27
"Assertions and Protocol for the OASIS Security Assertion "Assertions and Protocol for the OASIS Security Assertion
Markup Language (SAML) V2.0", OASIS Standard saml-core- Markup Language (SAML) V2.0", OASIS Standard saml-core-
2.0-os, March 2005. 2.0-os, March 2005.
[OASIS.saml-profiles-2.0-os] [OASIS.saml-profiles-2.0-os]
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
P., Philpott, R., and E. Maler, "Profiles for the OASIS P., Philpott, R., and E. Maler, "Profiles for the OASIS
Security Assertion Markup Language (SAML) V2.0", OASIS Security Assertion Markup Language (SAML) V2.0", OASIS
Standard OASIS.saml-profiles-2.0-os, March 2005. Standard OASIS.saml-profiles-2.0-os, March 2005.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
skipping to change at page 25, line 9 skipping to change at page 25, line 9
Appendix A. Acknowledgments Appendix A. Acknowledgments
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan, Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan,
Stefan Plug and Hannes Tschofenig for their review and contributions. Stefan Plug and Hannes Tschofenig for their review and contributions.
Appendix B. Changes Appendix B. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos
o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott
Cantor Cantor
o 01 Added authorization identity, added GSS-API specifics, added o 01 Added authorization identity, added GSS-API specifics, added
client supplied IdP client supplied IdP
o 00 Initial Revision. o 00 Initial Revision.
Authors' Addresses Authors' Addresses
 End of changes. 16 change blocks. 
20 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/