draft-ietf-kitten-sasl-saml-03.txt   draft-ietf-kitten-sasl-saml-04.txt 
Network Working Group K. Wierenga Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear Intended status: Standards Track E. Lear
Expires: December 17, 2011 Cisco Systems GmbH Expires: January 12, 2012 Cisco Systems GmbH
S. Josefsson S. Josefsson
SJD AB SJD AB
June 15, 2011 July 11, 2011
A SASL and GSS-API Mechanism for SAML A SASL and GSS-API Mechanism for SAML
draft-ietf-kitten-sasl-saml-03.txt draft-ietf-kitten-sasl-saml-04.txt
Abstract Abstract
Security Assertion Markup Language (SAML) has found its usage on the Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to generalize Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API. Identity Providers with applications using SASL and GSS-API.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 17, 2011. This Internet-Draft will expire on January 12, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 21 skipping to change at page 6, line 21
or an appropriate handler, such as a browser. or an appropriate handler, such as a browser.
6. Next the client authenticates to the IdP. The manner in which 6. Next the client authenticates to the IdP. The manner in which
the end user is authenticated to the IdP and any policies the end user is authenticated to the IdP and any policies
surrounding such authentication is out of scope for SAML and surrounding such authentication is out of scope for SAML and
hence for this draft. This step happens out of band from SASL. hence for this draft. This step happens out of band from SASL.
7. The IdP will convey information about the success or failure of 7. The IdP will convey information about the success or failure of
the authentication back to the the RP in the form of an the authentication back to the the RP in the form of an
Authentication Statement or failure, using a indirect response Authentication Statement or failure, using a indirect response
via the client browser or the handler. This step happens out of via the client browser or the handler (and with an external
band from SASL. browser client control should be passed back to the SASL client).
This step happens out of band from SASL.
8. The SASL Server sends an appropriate SASL response to the client, 8. The SASL Server sends an appropriate SASL response to the client,
along with an optional list of attributes along with an optional list of attributes
Please note: What is described here is the case in which the client Please note: What is described here is the case in which the client
has not previously authenticated. It is possible that the client has not previously authenticated. It is possible that the client
already holds a valid SAML authentication token so that the user does already holds a valid SAML authentication token so that the user does
not need to be involved in the process anymore, but that would still not need to be involved in the process anymore, but that would still
be external to SASL. This is classic Web Single Sign-On, in which be external to SASL. This is classic Web Single Sign-On, in which
the Web Browser client presents the authentication token (cookie) to the Web Browser client presents the authentication token (cookie) to
skipping to change at page 10, line 20 skipping to change at page 10, line 20
The SAML SASL mechanism is actually also a GSS-API mechanism. The The SAML SASL mechanism is actually also a GSS-API mechanism. The
messages are the same, but messages are the same, but
a) the GS2 header on the client's first message and channel binding a) the GS2 header on the client's first message and channel binding
data is excluded when SAML is used as a GSS-API mechanism, and data is excluded when SAML is used as a GSS-API mechanism, and
b) the RFC2743 section 3.1 initial context token header is prefixed b) the RFC2743 section 3.1 initial context token header is prefixed
to the client's first authentication message (context token). to the client's first authentication message (context token).
The GSS-API mechanism OID for SAML is 1.3.6.1.4.1.11591.4.8. The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see
IANA considerations).
SAML20 security contexts always have the mutual_state flag SAML20 security contexts always have the mutual_state flag
(GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential (GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential
delegation, therefore SAML security contexts alway have the delegation, therefore SAML security contexts alway have the
deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE. deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE.
The mutual authentication property of this mechanism relies on The mutual authentication property of this mechanism relies on
successfully comparing the TLS server identity with the negotiated successfully comparing the TLS server identity with the negotiated
target name. Since the TLS channel is managed by the application target name. Since the TLS channel is managed by the application
outside of the GSS-API mechanism, the mechanism itself is unable to outside of the GSS-API mechanism, the mechanism itself is unable to
skipping to change at page 21, line 5 skipping to change at page 20, line 21
Security Considerations: See this document Security Considerations: See this document
Published Specification: See this document Published Specification: See this document
For further information: Contact the authors of this document. For further information: Contact the authors of this document.
Owner/Change controller: the IETF Owner/Change controller: the IETF
Note: None Note: None
The IANA is further requested to assign an OID for this GSS mechanism
in the SMI numbers registry, with the prefix of
iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to
reference this specification in the registry.
9. References 9. References
9.1. Normative References 9.1. Normative References
[OASIS.saml-bindings-2.0-os] [OASIS.saml-bindings-2.0-os]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Maler, "Bindings for the OASIS Security Assertion Markup Maler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS Language (SAML) V2.0", OASIS
Standard saml-bindings-2.0-os, March 2005. Standard saml-bindings-2.0-os, March 2005.
skipping to change at page 22, line 26 skipping to change at page 22, line 26
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010. GS2 Mechanism Family", RFC 5801, July 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
[W3C.REC-html401-19991224] [W3C.REC-html401-19991224]
Hors, A., Jacobs, I., and D. Raggett, "HTML 4.01 Jacobs, I., Hors, A., and D. Raggett, "HTML 4.01
Specification", World Wide Web Consortium Specification", World Wide Web Consortium
Recommendation REC-html401-19991224, December 1999, Recommendation REC-html401-19991224, December 1999,
<http://www.w3.org/TR/1999/REC-html401-19991224>. <http://www.w3.org/TR/1999/REC-html401-19991224>.
9.2. Informative References 9.2. Informative References
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996. STD 53, RFC 1939, May 1996.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003. 4rev1", RFC 3501, March 2003.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, October 2004. Protocol (XMPP): Core", RFC 3920, October 2004.
Appendix A. Acknowledgments Appendix A. Acknowledgments
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan, Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank
Stefan Plug and Hannes Tschofenig for their review and contributions. Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their
review and contributions.
Appendix B. Changes Appendix B. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
o 04 Added request for IANA assignment, few text clarifications
o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov
o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos
o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott
Cantor Cantor
o 01 Added authorization identity, added GSS-API specifics, added o 01 Added authorization identity, added GSS-API specifics, added
client supplied IdP client supplied IdP
 End of changes. 10 change blocks. 
10 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/