draft-ietf-kitten-sasl-saml-02.txt   draft-ietf-kitten-sasl-saml-03.txt 
Network Working Group K. Wierenga Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear Intended status: Standards Track E. Lear
Expires: August 29, 2011 Cisco Systems GmbH Expires: December 17, 2011 Cisco Systems GmbH
S. Josefsson S. Josefsson
SJD AB SJD AB
February 25, 2011 June 15, 2011
A SASL and GSS-API Mechanism for SAML A SASL and GSS-API Mechanism for SAML
draft-ietf-kitten-sasl-saml-02.txt draft-ietf-kitten-sasl-saml-03.txt
Abstract Abstract
Security Assertion Markup Language (SAML) has found its usage on the Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to generalize Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API. Identity Providers with applications using SASL and GSS-API.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 29, 2011. This Internet-Draft will expire on December 17, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
3. Applicability for non-HTTP Use Cases . . . . . . . . . . . . . 6 1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
4. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 9 2. Applicability for non-HTTP Use Cases . . . . . . . . . . . . . 5
4.1. Advertisement . . . . . . . . . . . . . . . . . . . . . . 9 3. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 8
4.2. Initiation . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1. Initial Response . . . . . . . . . . . . . . . . . . . . . 8
4.3. Server Redirect . . . . . . . . . . . . . . . . . . . . . 9 3.2. Authentication Request . . . . . . . . . . . . . . . . . . 8
4.4. Client Empty Response and other . . . . . . . . . . . . . 10 3.3. Outcome and parameters . . . . . . . . . . . . . . . . . . 9
4.5. Outcome and parameters . . . . . . . . . . . . . . . . . . 10 4. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 10
5. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 11 4.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 10
5.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 11 5. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 11
6. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 12 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19
8. Security Considerations . . . . . . . . . . . . . . . . . . . 20 7.1. Man in the middle and Tunneling Attacks . . . . . . . . . 19
8.1. Man in the middle and Tunneling Attacks . . . . . . . . . 20 7.2. Binding SAML subject identifiers to Authorization
8.2. Binding SAML subject identifiers to Authorization Identities . . . . . . . . . . . . . . . . . . . . . . . . 19
Identities . . . . . . . . . . . . . . . . . . . . . . . . 20 7.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 19
8.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 20 7.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 19
8.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 20 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 9.1. Normative References . . . . . . . . . . . . . . . . . . . 21
10.1. Normative References . . . . . . . . . . . . . . . . . . . 22 9.2. Informative References . . . . . . . . . . . . . . . . . . 22
10.2. Informative References . . . . . . . . . . . . . . . . . . 23 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 23
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 24 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 24
Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
Security Assertion Markup Language (SAML) 2.0 Security Assertion Markup Language (SAML) 2.0
[OASIS.saml-core-2.0-os] is a modular specification that provides [OASIS.saml-core-2.0-os] is a modular specification that provides
various means for a user to be identified to a relying party (RP) various means for a user to be identified to a relying party (RP)
through the exchange of (typically signed) assertions issued by an through the exchange of (typically signed) assertions issued by an
identity provider (IdP). It includes a number of protocols, protocol identity provider (IdP). It includes a number of protocols, protocol
bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles
[OASIS.saml-profiles-2.0-os] designed for different use cases. [OASIS.saml-profiles-2.0-os] designed for different use cases.
Simple Authentication and Security Layer (SASL) [RFC4422] is a Simple Authentication and Security Layer (SASL) [RFC4422] is a
generalized mechanism for identifying and authenticating a user and generalized mechanism for identifying and authenticating a user and
for optionally negotiating a security layer for subsequent protocol for optionally negotiating a security layer for subsequent protocol
interactions. SASL is used by application protocols like IMAP interactions. SASL is used by application protocols like IMAP
[RFC3501] and XMPP [RFC3920]. The effect is to make modular [RFC3501], POP [RFC1939] and XMPP [RFC3920]. The effect is to make
authentication, so that newer authentication mechanisms can be added modular authentication, so that newer authentication mechanisms can
as needed. This memo specifies just such a mechanism. be added as needed. This memo specifies just such a mechanism.
The Generic Security Service Application Program Interface (GSS-API) The Generic Security Service Application Program Interface (GSS-API)
[RFC2743] provides a framework for applications to support multiple [RFC2743] provides a framework for applications to support multiple
authentication mechanisms through a unified programming interface. authentication mechanisms through a unified programming interface.
This document defines a pure SASL mechanism for SAML, but it conforms This document defines a pure SASL mechanism for SAML, but it conforms
to the new bridge between SASL and the GSS-API called GS2 [RFC5801]. to the new bridge between SASL and the GSS-API called GS2 [RFC5801].
This means that this document defines both a SASL mechanism and a This means that this document defines both a SASL mechanism and a
GSS-API mechanism. We want to point out that the GSS-API interface GSS-API mechanism. We want to point out that the GSS-API interface
is optional for SASL implementers, and the GSS-API considerations can is optional for SASL implementers, and the GSS-API considerations can
be avoided in environments that uses SASL directly without GSS-API. be avoided in environments that uses SASL directly without GSS-API.
As currently envisioned, this mechanism is to allow the interworking As currently envisioned, this mechanism is to allow the interworking
between SASL and SAML in order to assert identity and other between SASL and SAML in order to assert identity and other
attributes to relying parties. As such, while servers (as relying attributes to relying parties. As such, while servers (as relying
parties) will advertise SASL mechanisms (including SAML), clients parties) will advertise SASL mechanisms (including SAML), clients
will select the SAML SASL mechanism as their SASL mechanism of will select the SAML SASL mechanism as their SASL mechanism of
choice. choice.
The SAML mechanism described in this memo aims to re-use the The SAML mechanism described in this memo aims to re-use the Web
available SAML deployment to a maximum extent and therefore does not Browser SSO profile defined in section 3.1 of
establish a separate authentication, integrity and confidentiality [OASIS.saml-profiles-2.0-os] to a maximum extent and therefore does
mechanism. The mechanisms assumes a security layer, such as not establish a separate authentication, integrity and
Transport Layer Security (TLS), to protect against some attacks. confidentiality mechanism. The mechanisms assumes a security layer,
such as Transport Layer Security (TLS [RFC5246]), will continued to
be used. This specification is appropriate for use when a browser is
available.
Figure 1 describes the interworking between SAML and SASL: this Figure 1 describes the interworking between SAML and SASL: this
document requires enhancements to the Relying Party and to the Client document requires enhancements to the Relying Party and to the Client
(as the two SASL communication end points) but no changes to the SAML (as the two SASL communication end points) but no changes to the SAML
Identity Provider are necessary. To accomplish this goal some Identity Provider are necessary. To accomplish this goal some
indirect messaging is tunneled within SASL, and some use of external indirect messaging is tunneled within SASL, and some use of external
methods is made. methods is made.
+-----------+ +-----------+
| | | |
skipping to change at page 5, line 5 skipping to change at page 4, line 31
</ +--|--+ </ +--|--+
+------------+ v +------------+ v
| | +----------+ | | +----------+
| SAML | HTTPs | | | SAML | HTTPs | |
| Identity |<--------------->| Client | | Identity |<--------------->| Client |
| Provider | | | | Provider | | |
+------------+ +----------+ +------------+ +----------+
Figure 1: Interworking Architecture Figure 1: Interworking Architecture
2. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
The reader is assumed to be familiar with the terms used in the SAML The reader is assumed to be familiar with the terms used in the SAML
2.0 specification. 2.0 specification.
3. Applicability for non-HTTP Use Cases 1.2. Applicability
Applicability Because this mechanism transports information that
should not be controlled by an attacker, the SAML mechanism MUST only
be used over channels protected by TLS, and the client MUST
successfully validate the server certificate, or similar integrity
protected and authenticated channels. [RFC5280][RFC6125]
2. Applicability for non-HTTP Use Cases
While SAML itself is merely a markup language, its common use case While SAML itself is merely a markup language, its common use case
these days is with HTTP. What follows is a typical flow: these days is with HTTP [RFC2616] and HTML
[W3C.REC-html401-19991224]. What follows is a typical flow:
1. The browser requests a resource of a Relying Party (RP) (via an 1. The browser requests a resource of a Relying Party (RP) (via an
HTTP request). HTTP request).
2. The RP sends an HTTP redirect as described in Section 10.3 of 2. The RP sends an HTTP redirect as described in Section 10.3 of
[RFC2616] to the browser to the Identity Provider (IdP) or an IdP [RFC2616] to the browser to the Identity Provider (IdP) or an IdP
discovery service with an authentication request that contains discovery service with an authentication request that contains
the name of resource being requested, some sort of a cookie and a the name of resource being requested, some sort of a cookie and a
return URL, return URL [RFC1738],
3. The user authenticates to the IdP and perhaps authorizes the 3. The user authenticates to the IdP and perhaps authorizes the
authentication to the service provider. authentication to the service provider.
4. In its authentication response, the IdP redirects the browser 4. In its authentication response, the IdP redirects (via an HTTP
back to the RP with an authentication assertion (stating that the redirect) the browser back to the RP with an authentication
IdP vouches that the subject has successfully authenticated), assertion (stating that the IdP vouches that the subject has
optionally along with some additional attributes. successfully authenticated), optionally along with some
additional attributes.
5. RP now has sufficient identity information to approve access to 5. RP now has sufficient identity information to approve access to
the resource or not, and acts accordingly. The authentication is the resource or not, and acts accordingly. The authentication is
concluded. concluded.
When considering this flow in the context of SASL, we note that while When considering this flow in the context of SASL, we note that while
the RP and the client both must change their code to implement this the RP and the client both must change their code to implement this
SASL mechanism, the IdP must remain untouched. The RP already has SASL mechanism, the IdP must remain untouched. The RP already has
some sort of session (probably a TCP connection) established with the some sort of session (probably a TCP connection) established with the
client. However, it may be necessary to redirect a SASL client to client. However, it may be necessary to redirect a SASL client to
skipping to change at page 6, line 47 skipping to change at page 5, line 49
steps are shown from below: steps are shown from below:
1. The Relying Party or SASL server advertises support for the SASL 1. The Relying Party or SASL server advertises support for the SASL
SAML20 mechanism to the client SAML20 mechanism to the client
2. The client initiates a SASL authentication with SAML20 and sends 2. The client initiates a SASL authentication with SAML20 and sends
a domain a domain
3. The Relying Party transmits an authentication request encoded 3. The Relying Party transmits an authentication request encoded
using a Universal Resource Identifier (URI) as described in RFC using a Universal Resource Identifier (URI) as described in RFC
3986 [RFC3986] and a redirect to the IdP corresponding to the 3986 [RFC3986] and an HTTP redirect to the IdP corresponding to
domain the domain
4. The SASL client now sends an empty response, as authentication 4. The SASL client now sends an empty response, as authentication
continues via the normal SAML flow. continues via the normal SAML flow.
5. At this point the SASL client MUST construct a URL containing the 5. At this point the SASL client MUST construct a URL containing the
content received in the previous message from the RP. This URL content received in the previous message from the RP. This URL
is transmitted to the IdP either by the SASL client application is transmitted to the IdP either by the SASL client application
or an appropriate handler, such as a browser. or an appropriate handler, such as a browser.
6. Next the client authenticates to the IdP. The manner in which 6. Next the client authenticates to the IdP. The manner in which
skipping to change at page 7, line 25 skipping to change at page 6, line 28
7. The IdP will convey information about the success or failure of 7. The IdP will convey information about the success or failure of
the authentication back to the the RP in the form of an the authentication back to the the RP in the form of an
Authentication Statement or failure, using a indirect response Authentication Statement or failure, using a indirect response
via the client browser or the handler. This step happens out of via the client browser or the handler. This step happens out of
band from SASL. band from SASL.
8. The SASL Server sends an appropriate SASL response to the client, 8. The SASL Server sends an appropriate SASL response to the client,
along with an optional list of attributes along with an optional list of attributes
Please note: What is described here is the case in which the client Please note: What is described here is the case in which the client
has not previously authenticated. If the client can handle SAML has not previously authenticated. It is possible that the client
internally it is possible that the client already holds a valid SAML already holds a valid SAML authentication token so that the user does
authentication token so that the user does not need to be involved in not need to be involved in the process anymore, but that would still
the process anymore, but that would still be external to SASL. be external to SASL. This is classic Web Single Sign-On, in which
the Web Browser client presents the authentication token (cookie) to
the RP without renewed user authentication at the IdP.
With all of this in mind, the flow appears as follows: With all of this in mind, the flow appears as follows:
SASL Serv. Client IdP SASL Serv. Client IdP
|>-----(1)----->| | Advertisement |>-----(1)----->| | Advertisement
| | | | | |
|<-----(2)-----<| | Initiation |<-----(2)-----<| | Initiation
| | | | | |
|>-----(3)----->| | Authentication Request |>-----(3)----->| | Authentication Request
| | | | | |
skipping to change at page 9, line 5 skipping to change at page 8, line 5
| | | | | |
|>-----(6)----->| | SASL completion with |>-----(6)----->| | SASL completion with
| | | status | | | status
| | | | | |
----- = SASL ----- = SASL
- - - = HTTP or HTTPs (external to SASL) - - - = HTTP or HTTPs (external to SASL)
Figure 2: Authentication flow Figure 2: Authentication flow
4. SAML SASL Mechanism Specification 3. SAML SASL Mechanism Specification
Based on the previous figure, the following operations are performed This section specifies the details of the SAML SASL mechanism.
with the SAML SASL mechanism. Recall section 5 of [RFC4422] for what needs to be described here.
The mechanism is "client first" as discussed in section 3 of The name of this mechanism "SAML20". The mechanism is capable of
[RFC4422] which means that the initial server challenge will be empty transferring an authorization identity (via "gs2-header"). The
if the protocol does not support an initial client response. mechanism does not offer a security layer.
4.1. Advertisement The mechanism is client-first. The first mechanism message from the
client to the server is the "initial-response" described below. As
described in [RFC4422], if the application protocol does not support
sending a client-response together with the authentication request,
the server will send an empty server-challenge to let the client
begin.
To advertise that a server supports SAML 2.0, during application The second mechanism message is from the server to the client, the
session initiation, it displays the name "SAML20" in the list of "authentication-request" described below.
supported SASL mechanisms.
4.2. Initiation The third mechanism message is from client to the server, and is the
fixed message consisting of "=".
The fourth mechanism message is from the server to the client,
indicating the SASL mechanism outcome described below.
3.1. Initial Response
A client initiates a "SAML20" authentication with SASL by sending the A client initiates a "SAML20" authentication with SASL by sending the
GS2 header followed by the authentication identifier. The GS2 header GS2 header followed by the authentication identifier. The GS2 header
carries the optional authorization identity. carries the optional authorization identity.
initial-response = gs2-header Idp-Identifier initial-response = gs2-header Idp-Identifier
IdP-Identifier = domain ; domain name with corresponding IdP IdP-Identifier = domain ; domain name with corresponding IdP
The "gs2-header" is specified in [RFC5801], and it is used as The "gs2-header" is specified in [RFC5801], and it is used as
follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the
channel binding "gs2-cb-flag" field, see Section 5. The "gs2- channel binding "gs2-cb-flag" field, see Section 5. The "gs2-
authzid" carries the optional authorization identity. Domain name is authzid" carries the optional authorization identity. Domain name is
specified in [RFC1035]. specified in [RFC1035].
4.3. Server Redirect 3.2. Authentication Request
The SASL Server transmits a URI to the IdP that corresponds to the The SASL Server transmits a redirect URI to the IdP that corresponds
domain the user provided, with a SAML authentication request in the to the domain the user provided, with a SAML authentication request
form of a SAML assertion as one of the parameters. Note: The SASL as one of the parameters. Note: The SASL server may have a static
server may have a static mapping of domain to corresponding IdP or mapping of domain to corresponding IdP or alternatively a DNS-lookup
alternatively a DNS-lookup mechanism could be envisioned, but that is mechanism could be envisioned, but that is out-of-scope for this
out-of-scope for this document document
redirect-url = URI authentication-request = URI
As before, URI is specified in [RFC3986]. URI is specified in [RFC3986] and is encoded according to Section 3.4
(HTTP Redirect) of the SAML bindings 2.0 specification
[OASIS.saml-bindings-2.0-os]. The SAML authentication request is
encoded according to Section 3.4 (Authentication Request) of the SAML
core 2.0 specification [OASIS.saml-core-2.0-os].
4.4. Client Empty Response and other The client now sends the authentication request via an HTTP GET to
the IdP, as if redirected to do so from an HTTP server and in
accordance with the Web Browser SSO profile, described in section 3.1
of [OASIS.saml-profiles-2.0-os]
The SASL client hands the URI it received from the server in the The client MUST handle both user authentication to the IdP and
previous step to either a browser or other appropriate handler to confirmation or rejection of the authentiation of the RP.
continue authentication externally while sending an empty response to
the SASL server. The URI is encoded according to Section 3.4 of the
SAML bindings 2.0 specification [OASIS.saml-bindings-2.0-os].
empty-response = "" After all authentication has been completed by the IdP, and after the
response has been sent to the client, the client will relay the
response to the Relying Party via HTTP(S), as specified in the
authentication request ("AssertionConsumerServiceURL").
4.5. Outcome and parameters Please note: this means that the SASL server needs to implement a
SAML Relying Party. Also, the RP needs to correlate the TCP session
from the SASL client with the SAML authentication.
The SAML authentication having completed externally, the SASL server 3.3. Outcome and parameters
will transmit the outcome of the authentication exchange as success
or failure.
5. SAML GSS-API Mechanism Specification The Relying Party now validates the response it received from the
client via HTTP or HTTPS, as specified in the SAML specification
The response by the Relying Party constitutes a SASL mechanism
outcome, and SHALL be used to set state in the server accordingly,
and it shall be used by the server to report that state to the SASL
client as described in [RFC4422] Section 3.6.
4. SAML GSS-API Mechanism Specification
This section and its sub-sections and all normative references of it This section and its sub-sections and all normative references of it
not referenced elsewhere in this document are INFORMATIONAL for SASL not referenced elsewhere in this document are INFORMATIONAL for SASL
implementors, but they are NORMATIVE for GSS-API implementors. implementors, but they are NORMATIVE for GSS-API implementors.
The SAML SASL mechanism is actually also a GSS-API mechanism. The The SAML SASL mechanism is actually also a GSS-API mechanism. The
messages are the same, but messages are the same, but
a) the GS2 header on the client's first message and channel binding a) the GS2 header on the client's first message and channel binding
data is excluded when SAML is used as a GSS-API mechanism, and data is excluded when SAML is used as a GSS-API mechanism, and
skipping to change at page 11, line 27 skipping to change at page 10, line 27
b) the RFC2743 section 3.1 initial context token header is prefixed b) the RFC2743 section 3.1 initial context token header is prefixed
to the client's first authentication message (context token). to the client's first authentication message (context token).
The GSS-API mechanism OID for SAML is 1.3.6.1.4.1.11591.4.8. The GSS-API mechanism OID for SAML is 1.3.6.1.4.1.11591.4.8.
SAML20 security contexts always have the mutual_state flag SAML20 security contexts always have the mutual_state flag
(GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential (GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential
delegation, therefore SAML security contexts alway have the delegation, therefore SAML security contexts alway have the
deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE. deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE.
The mutual authentication property of this mechanism relies on
successfully comparing the TLS server identity with the negotiated
target name. Since the TLS channel is managed by the application
outside of the GSS-API mechanism, the mechanism itself is unable to
confirm the name while the application is able to perform this
comparison for the mechanism. For this reason, applications MUST
match the TLS server identity with the target name, as discussed in
[RFC6125].
The SAML mechanism does not support per-message tokens or The SAML mechanism does not support per-message tokens or
GSS_Pseudo_random. GSS_Pseudo_random.
Note that the GSS-API mechanism MUST only be used by the client when 4.1. GSS-API Principal Name Types for SAML
a secure channel with server authentication (e.g., TLS) is available.
5.1. GSS-API Principal Name Types for SAML
SAML supports standard generic name syntaxes for acceptors such as SAML supports standard generic name syntaxes for acceptors such as
GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). SAML GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). SAML
supports only a single name type for initiators: GSS_C_NT_USER_NAME. supports only a single name type for initiators: GSS_C_NT_USER_NAME.
GSS_C_NT_USER_NAME is the default name type for SAML. The query, GSS_C_NT_USER_NAME is the default name type for SAML. The query,
display, and exported name syntaxes for SAML principal names are all display, and exported name syntaxes for SAML principal names are all
the same. There are no SAML-specific name syntaxes -- applications the same. There are no SAML-specific name syntaxes -- applications
should use generic GSS-API name types such as GSS_C_NT_USER_NAME and should use generic GSS-API name types such as GSS_C_NT_USER_NAME and
GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported
name token does, of course, conform to [RFC2743], Section 3.2. name token does, of course, conform to [RFC2743], Section 3.2.
6. Channel Binding 5. Channel Binding
The "gs2-cb-flag" MUST use "n" because channel binding data cannot be The "gs2-cb-flag" MUST use "n" because channel binding data cannot be
integrity protected by the SAML negotiation. FIXME: Transfer channel integrity protected by the SAML negotiation.
binding in SAML assertion?
7. Examples Note: In theory channel binding data could be inserted in the SAML
flow by the client and verified by the server, but that is currently
not supported in SAML.
7.1. XMPP 6. Examples
6.1. XMPP
Suppose the user has an identity at the SAML IdP saml.example.org and Suppose the user has an identity at the SAML IdP saml.example.org and
a Jabber Identifier (JID) "somenode@example.com", and wishes to a Jabber Identifier (JID) "somenode@example.com", and wishes to
authenticate his XMPP connection to xmpp.example.com. The authenticate his XMPP connection to xmpp.example.com. The
authentication on the wire would then look something like the authentication on the wire would then look something like the
following: following:
Step 1: Client initiates stream to server: Step 1: Client initiates stream to server:
<stream:stream xmlns='jabber:client' <stream:stream xmlns='jabber:client'
skipping to change at page 16, line 28 skipping to change at page 15, line 28
<samlp:RequestedAuthnContext <samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"> Comparison="exact">
<saml:AuthnContextClassRef <saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef> </saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext> </samlp:RequestedAuthnContext>
</samlp:AuthnRequest> </samlp:AuthnRequest>
Note: the server can use the request ID
(_bec424fa5103428909a30ff1e31168327f79474984) to correlate the SASL
session with the SAML authentication.
Step 5 (alt): Server returns error to client: Step 5 (alt): Server returns error to client:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<incorrect-encoding/> <incorrect-encoding/>
</failure> </failure>
</stream:stream> </stream:stream>
Step 6: Client sends a BASE64 encoded empty response to the Step 6: Client sends a BASE64 encoded empty response to the
challenge: challenge:
skipping to change at page 18, line 17 skipping to change at page 17, line 21
Step 11: Server informs client of successful resource binding: Step 11: Server informs client of successful resource binding:
<iq type='result' id='bind_1'> <iq type='result' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>somenode@example.com/someresource</jid> <jid>somenode@example.com/someresource</jid>
</bind> </bind>
</iq> </iq>
Please note: line breaks were added to the base64 for clarity. Please note: line breaks were added to the base64 for clarity.
7.2. IMAP 6.2. IMAP
The following describes an IMAP exchange. Lines beginning with 'S:' The following describes an IMAP exchange. Lines beginning with 'S:'
indicate data sent by the server, and lines starting with 'C:' indicate data sent by the server, and lines starting with 'C:'
indicate data sent by the client. Long lines are wrapped for indicate data sent by the client. Long lines are wrapped for
readability. readability.
S: * OK IMAP4rev1 S: * OK IMAP4rev1
C: . CAPABILITY C: . CAPABILITY
S: * CAPABILITY IMAP4rev1 STARTTLS S: * CAPABILITY IMAP4rev1 STARTTLS
S: . OK CAPABILITY Completed S: . OK CAPABILITY Completed
skipping to change at page 20, line 5 skipping to change at page 19, line 5
MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t
RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN
NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5 NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5
YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi
MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX
UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW
bGMzUSs= bGMzUSs=
C: C:
S: . OK Success (tls protection) S: . OK Success (tls protection)
8. Security Considerations 7. Security Considerations
This section will address only security considerations associated This section will address only security considerations associated
with the use of SAML with SASL applications. For considerations with the use of SAML with SASL applications. For considerations
relating to SAML in general, the reader is referred to the SAML relating to SAML in general, the reader is referred to the SAML
specification and to other literature. Similarly, for general SASL specification and to other literature. Similarly, for general SASL
Security Considerations, the reader is referred to that Security Considerations, the reader is referred to that
specification. specification.
8.1. Man in the middle and Tunneling Attacks 7.1. Man in the middle and Tunneling Attacks
This mechanism is vulnerable to man in the middle and tunneling This mechanism is vulnerable to man in the middle and tunneling
attacks unless a client always verify the server identity before attacks unless a client always verify the server identity before
proceeding with authentication. Typically TLS is used to provide a proceeding with authentication (see [RFC6125]). Typically TLS is
secure channel with server authentication. used to provide a secure channel with server authentication.
8.2. Binding SAML subject identifiers to Authorization Identities 7.2. Binding SAML subject identifiers to Authorization Identities
As specified in [RFC4422], the server is responsible for binding As specified in [RFC4422], the server is responsible for binding
credentials to a specific authorization identity. It is therefore credentials to a specific authorization identity. It is therefore
necessary that only specific trusted IdPs be allowed. This is necessary that only specific trusted IdPs be allowed. This is
typical part of SAML trust establishment between RP's and IdP. typical part of SAML trust establishment between RP's and IdP.
8.3. User Privacy 7.3. User Privacy
The IdP is aware of each RP that a user logs into. There is nothing The IdP is aware of each RP that a user logs into. There is nothing
in the protocol to hide this information from the IdP. It is not a in the protocol to hide this information from the IdP. It is not a
requirement to track the visits, but there is nothing that prohibits requirement to track the visits, but there is nothing that prohibits
the collection of information. SASL servers should be aware that the collection of information. SASL servers should be aware that
SAML IdPs will track - to some extent - user access to their SAML IdPs will track - to some extent - user access to their
services. services.
8.4. Collusion between RPs 7.4. Collusion between RPs
It is possible for RPs to link data that they have collected on you. It is possible for RPs to link data that they have collected on you.
By using the same identifier to log into every RP, collusion between By using the same identifier to log into every RP, collusion between
RPs is possible. In SAML, targeted identity was introduced. RPs is possible. In SAML, targeted identity was introduced.
Targeted identity allows the IdP to transform the identifier the user Targeted identity allows the IdP to transform the identifier the user
typed in to an opaque identifier. This way the RP would never see typed in to an opaque identifier. This way the RP would never see
the actual user identifier, but a randomly generated identifier. the actual user identifier, but a randomly generated identifier.
This is an option the user has to understand and decide to use if the This is an option the user has to understand and decide to use if the
IdP is supporting it. IdP is supporting it.
9. IANA Considerations 8. IANA Considerations
The IANA is requested to register the following SASL profile: The IANA is requested to register the following SASL profile:
SASL mechanism profile: SAML20 SASL mechanism profile: SAML20
Security Considerations: See this document Security Considerations: See this document
Published Specification: See this document Published Specification: See this document
For further information: Contact the authors of this document. For further information: Contact the authors of this document.
Owner/Change controller: the IETF Owner/Change controller: the IETF
Note: None Note: None
10. References 9. References
10.1. Normative References 9.1. Normative References
[OASIS.saml-bindings-2.0-os] [OASIS.saml-bindings-2.0-os]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Maler, "Bindings for the OASIS Security Assertion Markup Maler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS Language (SAML) V2.0", OASIS
Standard saml-bindings-2.0-os, March 2005. Standard saml-bindings-2.0-os, March 2005.
[OASIS.saml-core-2.0-os] [OASIS.saml-core-2.0-os]
Cantor, S., Kemp, J., Philpott, R., and E. Maler, Cantor, S., Kemp, J., Philpott, R., and E. Maler,
"Assertions and Protocol for the OASIS Security Assertion "Assertions and Protocol for the OASIS Security Assertion
skipping to change at page 22, line 30 skipping to change at page 21, line 30
[OASIS.saml-profiles-2.0-os] [OASIS.saml-profiles-2.0-os]
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
P., Philpott, R., and E. Maler, "Profiles for the OASIS P., Philpott, R., and E. Maler, "Profiles for the OASIS
Security Assertion Markup Language (SAML) V2.0", OASIS Security Assertion Markup Language (SAML) V2.0", OASIS
Standard OASIS.saml-profiles-2.0-os, March 2005. Standard OASIS.saml-profiles-2.0-os, March 2005.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
Resource Locators (URL)", RFC 1738, December 1994.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms Service Application Program Interface (GSS-API) Mechanisms
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010. GS2 Mechanism Family", RFC 5801, July 2010.
10.2. Informative References [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011.
[W3C.REC-html401-19991224]
Hors, A., Jacobs, I., and D. Raggett, "HTML 4.01
Specification", World Wide Web Consortium
Recommendation REC-html401-19991224, December 1999,
<http://www.w3.org/TR/1999/REC-html401-19991224>.
9.2. Informative References
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003. 4rev1", RFC 3501, March 2003.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, October 2004. Protocol (XMPP): Core", RFC 3920, October 2004.
Appendix A. Acknowledgments Appendix A. Acknowledgments
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan, Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan,
Stefan Plug and Hannes Tschofenig for their review and contributions. Stefan Plug and Hannes Tschofenig for their review and contributions.
Appendix B. Changes Appendix B. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov
o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos
o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott
Cantor Cantor
o 01 Added authorization identity, added GSS-API specifics, added o 01 Added authorization identity, added GSS-API specifics, added
client supplied IdP client supplied IdP
o 00 Initial Revision. o 00 Initial Revision.
 End of changes. 52 change blocks. 
106 lines changed or deleted 188 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/