draft-ietf-kitten-sasl-saml-05.txt   draft-ietf-kitten-sasl-saml-06.txt 
Network Working Group K. Wierenga Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear Intended status: Standards Track E. Lear
Expires: May 3, 2012 Cisco Systems GmbH Expires: June 23, 2012 Cisco Systems GmbH
S. Josefsson S. Josefsson
SJD AB SJD AB
October 31, 2011 December 21, 2011
A SASL and GSS-API Mechanism for SAML A SASL and GSS-API Mechanism for SAML
draft-ietf-kitten-sasl-saml-05.txt draft-ietf-kitten-sasl-saml-06.txt
Abstract Abstract
Security Assertion Markup Language (SAML) has found its usage on the Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to generalize Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API. Identity Providers with applications using SASL and GSS-API.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2012. This Internet-Draft will expire on June 23, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 15 skipping to change at page 2, line 15
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
2. Applicability for non-HTTP Use Cases . . . . . . . . . . . . . 5 2. Authentication flow . . . . . . . . . . . . . . . . . . . . . 6
3. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 8 3. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 9
3.1. Initial Response . . . . . . . . . . . . . . . . . . . . . 8 3.1. Initial Response . . . . . . . . . . . . . . . . . . . . . 9
3.2. Authentication Request . . . . . . . . . . . . . . . . . . 8 3.2. Authentication Request . . . . . . . . . . . . . . . . . . 9
3.3. Outcome and parameters . . . . . . . . . . . . . . . . . . 9 3.3. Outcome and parameters . . . . . . . . . . . . . . . . . . 10
4. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 10 4. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 12
4.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 10 4.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 12
5. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 11 5. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 14
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 6.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 7. Security Considerations . . . . . . . . . . . . . . . . . . . 22
7.1. Man in the middle and Tunneling Attacks . . . . . . . . . 19 7.1. Man in the middle and Tunneling Attacks . . . . . . . . . 22
7.2. Binding SAML subject identifiers to Authorization 7.2. Binding SAML subject identifiers to Authorization
Identities . . . . . . . . . . . . . . . . . . . . . . . . 19 Identities . . . . . . . . . . . . . . . . . . . . . . . . 22
7.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 19 7.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 22
7.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 19 7.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 22
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
9.1. Normative References . . . . . . . . . . . . . . . . . . . 21 9.1. Normative References . . . . . . . . . . . . . . . . . . . 24
9.2. Informative References . . . . . . . . . . . . . . . . . . 22 9.2. Informative References . . . . . . . . . . . . . . . . . . 25
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 23 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 26
Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 24 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction 1. Introduction
Security Assertion Markup Language (SAML) 2.0 Security Assertion Markup Language (SAML) 2.0
[OASIS.saml-core-2.0-os] is a modular specification that provides [OASIS.saml-core-2.0-os] is a modular specification that provides
various means for a user to be identified to a relying party (RP) various means for a user to be identified to a relying party (RP)
through the exchange of (typically signed) assertions issued by an through the exchange of (typically signed) assertions issued by an
identity provider (IdP). It includes a number of protocols, protocol identity provider (IdP). It includes a number of protocols, protocol
bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles
[OASIS.saml-profiles-2.0-os] designed for different use cases. [OASIS.saml-profiles-2.0-os] designed for different use cases.
skipping to change at page 3, line 29 skipping to change at page 3, line 29
[RFC3501], POP [RFC1939] and XMPP [RFC6120]. The effect is to make [RFC3501], POP [RFC1939] and XMPP [RFC6120]. The effect is to make
modular authentication, so that newer authentication mechanisms can modular authentication, so that newer authentication mechanisms can
be added as needed. This memo specifies just such a mechanism. be added as needed. This memo specifies just such a mechanism.
The Generic Security Service Application Program Interface (GSS-API) The Generic Security Service Application Program Interface (GSS-API)
[RFC2743] provides a framework for applications to support multiple [RFC2743] provides a framework for applications to support multiple
authentication mechanisms through a unified programming interface. authentication mechanisms through a unified programming interface.
This document defines a pure SASL mechanism for SAML, but it conforms This document defines a pure SASL mechanism for SAML, but it conforms
to the new bridge between SASL and the GSS-API called GS2 [RFC5801]. to the new bridge between SASL and the GSS-API called GS2 [RFC5801].
This means that this document defines both a SASL mechanism and a This means that this document defines both a SASL mechanism and a
GSS-API mechanism. We want to point out that the GSS-API interface GSS-API mechanism. The GSS-API interface is OPTIONAL for SASL
is optional for SASL implementers, and the GSS-API considerations can implementers, and the GSS-API considerations can be avoided in
be avoided in environments that uses SASL directly without GSS-API. environments that use SASL directly without GSS-API.
As currently envisioned, this mechanism is to allow the interworking As currently envisioned, this mechanism is to allow the interworking
between SASL and SAML in order to assert identity and other between SASL and SAML in order to assert identity and other
attributes to relying parties. As such, while servers (as relying attributes to relying parties. As such, while servers (as relying
parties) will advertise SASL mechanisms (including SAML), clients parties) will advertise SASL mechanisms (including SAML), clients
will select the SAML SASL mechanism as their SASL mechanism of will select the SAML SASL mechanism as their SASL mechanism of
choice. choice.
The SAML mechanism described in this memo aims to re-use the Web The SAML mechanism described in this memo aims to re-use the Web
Browser SSO profile defined in section 3.1 of Browser SSO profile defined in section 3.1 of the SAML profiles 2.0
[OASIS.saml-profiles-2.0-os] to a maximum extent and therefore does specification [OASIS.saml-profiles-2.0-os] to the maximum extent and
not establish a separate authentication, integrity and therefore does not establish a separate authentication, integrity and
confidentiality mechanism. The mechanisms assumes a security layer, confidentiality mechanism. The mechanism assumes a security layer,
such as Transport Layer Security (TLS [RFC5246]), will continued to such as Transport Layer Security (TLS [RFC5246]), will continue to be
be used. This specification is appropriate for use when a browser is used. This specification is appropriate for use when a browser is
available. available.
Figure 1 describes the interworking between SAML and SASL: this Figure 1 describes the interworking between SAML and SASL: this
document requires enhancements to the Relying Party and to the Client document requires enhancements to the Relying Party (the SASL server)
(as the two SASL communication end points) but no changes to the SAML and to the Client, as the two SASL communication end points, but no
Identity Provider are necessary. To accomplish this goal some changes to the SAML Identity Provider are necessary. To accomplish
indirect messaging is tunneled within SASL, and some use of external this goal some indirect messaging is tunneled within SASL, and some
methods is made. use of external methods is made.
+-----------+ +-----------+
| | | |
>| Relying | >| Relying |
/ | Party | / | Party |
// | | // | |
// +-----------+ // +-----------+
SAML/ // ^ SAML/ // ^
HTTPs // +--|--+ HTTPs // +--|--+
// | S| | // | S| |
skipping to change at page 4, line 42 skipping to change at page 4, line 42
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
The reader is assumed to be familiar with the terms used in the SAML The reader is assumed to be familiar with the terms used in the SAML
2.0 specification. 2.0 specification.
1.2. Applicability 1.2. Applicability
Applicability Because this mechanism transports information that Because this mechanism transports information that should not be
should not be controlled by an attacker, the SAML mechanism MUST only controlled by an attacker, the SAML mechanism MUST only be used over
be used over channels protected by TLS, and the client MUST channels protected by TLS, and the client MUST successfully validate
successfully validate the server certificate, or similar integrity the server certificate, or similar integrity protected and
protected and authenticated channels. [RFC5280][RFC6125] authenticated channels. [RFC5280][RFC6125]
Note: An Intranet does not constitute such an integrity protected and
authenticated channel!
2. Applicability for non-HTTP Use Cases 2. Authentication flow
While SAML itself is merely a markup language, its common use case While SAML itself is merely a markup language, its common use case
these days is with HTTP [RFC2616] or HTTPs [RFC2818] and HTML these days is with HTTP [RFC2616] or HTTPs [RFC2818] and HTML
[W3C.REC-html401-19991224]. What follows is a typical flow: [W3C.REC-html401-19991224]. What follows is a typical flow:
1. The browser requests a resource of a Relying Party (RP) (via an 1. The browser requests a resource of a Relying Party (RP) (via an
HTTP request). HTTP request).
2. The RP sends an HTTP redirect as described in Section 10.3 of 2. The Relying Party redirects the browser via an HTTP redirect (as
[RFC2616] to the browser to the Identity Provider (IdP) or an IdP described in Section 10.3 of [RFC2616]) to the Identity Provider
discovery service with an authentication request that contains (IdP) or an IdP discovery service with as parameters an
the name of resource being requested, some sort of a cookie and a authentication request that contains the name of resource being
return URL [RFC3986], requested, a browser cookie and a return URL as specified in
Section 3.1 of the SAML profiles 2.0 specification
[OASIS.saml-profiles-2.0-os].
3. The user authenticates to the IdP and perhaps authorizes the 3. The user authenticates to the IdP and perhaps authorizes the
authentication to the service provider. authentication to the service provider.
4. In its authentication response, the IdP redirects (via an HTTP 4. In its authentication response, the IdP redirects (via an HTTP
redirect) the browser back to the RP with an authentication redirect) the browser back to the RP with an authentication
assertion (stating that the IdP vouches that the subject has assertion (stating that the IdP vouches that the subject has
successfully authenticated), optionally along with some successfully authenticated), optionally along with some
additional attributes. additional attributes.
5. RP now has sufficient identity information to approve access to 5. The Relying Party now has sufficient identity information to
the resource or not, and acts accordingly. The authentication is approve access to the resource or not, and acts accordingly. The
concluded. authentication is concluded.
When considering this flow in the context of SASL, we note that while When considering this flow in the context of SASL, we note that while
the RP and the client both must change their code to implement this the Relying Party and the client both must change their code to
SASL mechanism, the IdP must remain untouched. The RP already has implement this SASL mechanism, the IdP can remain untouched. The
some sort of session (probably a TCP connection) established with the Relying Party already has some sort of session (probably a TCP
client. However, it may be necessary to redirect a SASL client to connection) established with the client. However, it may be
another application or handler. This will be discussed below. The necessary to redirect a SASL client to another application or
steps are shown from below: handler. This will be discussed below. The steps are shown from
below:
1. The Relying Party or SASL server advertises support for the SASL 1. The SASL server (Relying Party) advertises support for the SASL
SAML20 mechanism to the client SAML20 mechanism to the client
2. The client initiates a SASL authentication with SAML20 and sends 2. The client initiates a SASL authentication with SAML20 and sends
a domain a domain name that allows the SASL server to determine the
appropriate IdP
3. The Relying Party transmits an authentication request encoded 3. The SASL server transmits an authentication request encoded using
using a Universal Resource Identifier (URI) as described in RFC a Universal Resource Identifier (URI) as described in RFC 3986
3986 [RFC3986] and an HTTP redirect to the IdP corresponding to
the domain [RFC3986] and an HTTP redirect to the IdP corresponding to the
domain
4. The SASL client now sends an empty response, as authentication 4. The SASL client now sends an empty response, as authentication
continues via the normal SAML flow. continues via the normal SAML flow.
5. At this point the SASL client MUST construct a URL containing the 5. At this point the SASL client MUST construct a URL containing the
content received in the previous message from the RP. This URL content received in the previous message from the SASL server.
is transmitted to the IdP either by the SASL client application This URL is transmitted to the IdP either by the SASL client
or an appropriate handler, such as a browser. application or an appropriate handler, such as a browser.
6. Next the client authenticates to the IdP. The manner in which 6. Next the client authenticates to the IdP. The manner in which
the end user is authenticated to the IdP and any policies the end user is authenticated to the IdP and any policies
surrounding such authentication is out of scope for SAML and surrounding such authentication is out of scope for SAML and
hence for this draft. This step happens out of band from SASL. hence for this draft. This step happens out of band from SASL.
7. The IdP will convey information about the success or failure of 7. The IdP will convey information about the success or failure of
the authentication back to the the RP in the form of an the authentication back to the the SASL server (Relying Party) in
Authentication Statement or failure, using a indirect response the form of an Authentication Statement or failure, using a
via the client browser or the handler (and with an external indirect response via the client browser or the handler (and with
browser client control should be passed back to the SASL client). an external browser client control should be passed back to the
This step happens out of band from SASL. SASL client). This step happens out of band from SASL.
8. The SASL Server sends an appropriate SASL response to the client, 8. The SASL Server sends an appropriate SASL response to the client,
along with an optional list of attributes along with an optional list of attributes
Please note: What is described here is the case in which the client Please note: What is described here is the case in which the client
has not previously authenticated. It is possible that the client has not previously authenticated. It is possible that the client
already holds a valid SAML authentication token so that the user does already holds a valid SAML authentication token so that the user does
not need to be involved in the process anymore, but that would still not need to be involved in the process anymore, but that would still
be external to SASL. This is classic Web Single Sign-On, in which be external to SASL. This is classic Web Single Sign-On, in which
the Web Browser client presents the authentication token (cookie) to the Web Browser client presents the authentication token (cookie) to
skipping to change at page 7, line 19 skipping to change at page 8, line 19
| | | | | |
|>-----(3)----->| | Authentication Request |>-----(3)----->| | Authentication Request
| | | | | |
|<-----(4)-----<| | Empty Response |<-----(4)-----<| | Empty Response
| | | | | |
| |< - - - - - ->| Client<>IDP | |< - - - - - ->| Client<>IDP
| | | Authentication | | | Authentication
| | | | | |
|<- - - - - - - - - - - - - - -| Authentication Statement |<- - - - - - - - - - - - - - -| Authentication Statement
| | | | | |
|>-----(6)----->| | SASL completion with |>-----(5)----->| | SASL completion with
| | | status | | | status
| | | | | |
----- = SASL ----- = SASL
- - - = HTTP or HTTPs (external to SASL) - - - = HTTP or HTTPs (external to SASL)
Figure 2: Authentication flow Figure 2: Authentication flow
3. SAML SASL Mechanism Specification 3. SAML SASL Mechanism Specification
skipping to change at page 8, line 33 skipping to change at page 9, line 33
The third mechanism message is from client to the server, and is the The third mechanism message is from client to the server, and is the
fixed message consisting of "=". fixed message consisting of "=".
The fourth mechanism message is from the server to the client, The fourth mechanism message is from the server to the client,
indicating the SASL mechanism outcome described below. indicating the SASL mechanism outcome described below.
3.1. Initial Response 3.1. Initial Response
A client initiates a "SAML20" authentication with SASL by sending the A client initiates a "SAML20" authentication with SASL by sending the
GS2 header followed by the authentication identifier. The GS2 header GS2 header followed by the authentication identifier (message 2 in
carries the optional authorization identity. Figure 2). The GS2 header carries the optional authorization
identity.
initial-response = gs2-header Idp-Identifier initial-response = gs2-header Idp-Identifier
IdP-Identifier = domain ; domain name with corresponding IdP IdP-Identifier = domain ; domain name with corresponding IdP
The "gs2-header" is specified in [RFC5801], and it is used as The "gs2-header" is specified in [RFC5801], and it is used as
follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the
channel binding "gs2-cb-flag" field, see Section 5. The "gs2- channel binding "gs2-cb-flag" field, see Section 5. The "gs2-
authzid" carries the optional authorization identity. Domain name is authzid" carries the optional authorization identity. Domain name is
specified in [RFC1035]. specified in [RFC1035].
3.2. Authentication Request 3.2. Authentication Request
The SASL Server transmits a redirect URI to the IdP that corresponds The SASL Server transmits to the SASL client a URI that (re)directs
to the domain the user provided, with a SAML authentication request to the IdP (corresponding to the domain the user provided), with a
as one of the parameters. Note: The SASL server may have a static SAML authentication request as one of the parameters (message 3 in
mapping of domain to corresponding IdP or alternatively a DNS-lookup Figure 2).
mechanism could be envisioned, but that is out-of-scope for this
document Note: The SASL server may have a static mapping of domain to
corresponding IdP or alternatively a DNS-lookup mechanism could be
envisioned, but that is out-of-scope for this document.
Note: While the SASL client MAY sanity check the URI it received,
ultimately it is the SAML IdP that will be validated by the SAML
client out-of-scope for this document..
authentication-request = URI authentication-request = URI
URI is specified in [RFC3986] and is encoded according to Section 3.4 URI is specified in [RFC3986] and is encoded according to Section 3.4
(HTTP Redirect) of the SAML bindings 2.0 specification (HTTP Redirect) of the SAML bindings 2.0 specification
[OASIS.saml-bindings-2.0-os]. The SAML authentication request is [OASIS.saml-bindings-2.0-os]. The SAML authentication request is
encoded according to Section 3.4 (Authentication Request) of the SAML encoded according to Section 3.4 (Authentication Request) of the SAML
core 2.0 specification [OASIS.saml-core-2.0-os]. core 2.0 specification [OASIS.saml-core-2.0-os].
The client now sends the authentication request via an HTTP GET to The client now sends the authentication request via an HTTP GET (sent
the IdP, as if redirected to do so from an HTTP server and in over a server-authenticated TLS channel) to the IdP, as if redirected
accordance with the Web Browser SSO profile, described in section 3.1 to do so from an HTTP server and in accordance with the Web Browser
of [OASIS.saml-profiles-2.0-os] SSO profile, as described in section 3.1 of SAML profiles 2.0
specification [OASIS.saml-profiles-2.0-os]
The client MUST handle both user authentication to the IdP and The client handles both user authentication to the IdP and
confirmation or rejection of the authentiation of the RP. confirmation or rejection of the authentiation of the RP (out-of-
scope for this document).
After all authentication has been completed by the IdP, and after the After all authentication has been completed by the IdP, the IdP will
response has been sent to the client, the client will relay the send a redirect message to the client in the form of a URI
response to the Relying Party via HTTP(S), as specified in the corresponding to the Relying Party as specified in the authentication
authentication request ("AssertionConsumerServiceURL"). request ("AssertionConsumerServiceURL") and with the SAML response as
one of the parameters.
Please note: this means that the SASL server needs to implement a Please note: this means that the SASL server needs to implement a
SAML Relying Party. Also, the RP needs to correlate the TCP session SAML Relying Party. Also, the SASL server needs to correlate the TCP
from the SASL client with the SAML authentication. session from the SASL client with the SAML authentication.
3.3. Outcome and parameters 3.3. Outcome and parameters
The Relying Party now validates the response it received from the The SASL server now validates the response it received from the
client via HTTP or HTTPS, as specified in the SAML specification client via HTTP or HTTPS, as specified in the SAML specification
The response by the Relying Party constitutes a SASL mechanism The response by the SASL server constitutes a SASL mechanism outcome,
outcome, and SHALL be used to set state in the server accordingly, and SHALL be used to set state in the server accordingly, and it
and it shall be used by the server to report that state to the SASL shall be used by the server to report that state to the SASL client
client as described in [RFC4422] Section 3.6. as described in [RFC4422] Section 3.6 (message 5 in Figure 2).
4. SAML GSS-API Mechanism Specification 4. SAML GSS-API Mechanism Specification
This section and its sub-sections and all normative references of it This section and its sub-sections and appropriate references of it
not referenced elsewhere in this document are INFORMATIONAL for SASL not referenced elsewhere in this document are not required for SASL
implementors, but they are NORMATIVE for GSS-API implementors. implementors, but this section MUST be observed to implement the GSS-
API mechanism discussed below.
The SAML SASL mechanism is actually also a GSS-API mechanism. The The SAML SASL mechanism is actually also a GSS-API mechanism. The
messages are the same, but SAML user takes the role of the GSS-API Initiator and the SAML
Relying Party takes the role of the GSS-API Acceptor. The SAML
Idenity Provider does not have a role in GSS-API, and is considered
an internal matter for the OpenID mechanism.The messages are the
same, but
a) the GS2 header on the client's first message and channel binding a) the GS2 header on the client's first message and channel binding
data is excluded when SAML is used as a GSS-API mechanism, and data is excluded when SAML is used as a GSS-API mechanism, and
b) the RFC2743 section 3.1 initial context token header is prefixed b) the RFC2743 section 3.1 initial context token header is prefixed
to the client's first authentication message (context token). to the client's first authentication message (context token).
The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see
IANA considerations). IANA considerations).
SAML20 security contexts always have the mutual_state flag SAML20 security contexts MUST have the mutual_state flag
(GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential (GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential
delegation, therefore SAML security contexts alway have the delegation, therefore SAML security contexts MUST have the
deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE. deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE.
The mutual authentication property of this mechanism relies on The mutual authentication property of this mechanism relies on
successfully comparing the TLS server identity with the negotiated successfully comparing the TLS server identity with the negotiated
target name. Since the TLS channel is managed by the application target name. Since the TLS channel is managed by the application
outside of the GSS-API mechanism, the mechanism itself is unable to outside of the GSS-API mechanism, the mechanism itself is unable to
confirm the name while the application is able to perform this confirm the name while the application is able to perform this
comparison for the mechanism. For this reason, applications MUST comparison for the mechanism. For this reason, applications MUST
match the TLS server identity with the target name, as discussed in match the TLS server identity with the target name, as discussed in
[RFC6125]. [RFC6125].
skipping to change at page 19, line 16 skipping to change at page 22, line 16
This section will address only security considerations associated This section will address only security considerations associated
with the use of SAML with SASL applications. For considerations with the use of SAML with SASL applications. For considerations
relating to SAML in general, the reader is referred to the SAML relating to SAML in general, the reader is referred to the SAML
specification and to other literature. Similarly, for general SASL specification and to other literature. Similarly, for general SASL
Security Considerations, the reader is referred to that Security Considerations, the reader is referred to that
specification. specification.
7.1. Man in the middle and Tunneling Attacks 7.1. Man in the middle and Tunneling Attacks
This mechanism is vulnerable to man in the middle and tunneling This mechanism is vulnerable to man-in-the-middle and tunneling
attacks unless a client always verify the server identity before attacks unless a client always verify the server identity before
proceeding with authentication (see [RFC6125]). Typically TLS is proceeding with authentication (see [RFC6125]). Typically TLS is
used to provide a secure channel with server authentication. used to provide a secure channel with server authentication.
7.2. Binding SAML subject identifiers to Authorization Identities 7.2. Binding SAML subject identifiers to Authorization Identities
As specified in [RFC4422], the server is responsible for binding As specified in [RFC4422], the server is responsible for binding
credentials to a specific authorization identity. It is therefore credentials to a specific authorization identity. It is therefore
necessary that only specific trusted IdPs be allowed. This is necessary that only specific trusted IdPs be allowed. This is
typical part of SAML trust establishment between RP's and IdP. typical part of SAML trust establishment between Relying Parties and
IdP.
7.3. User Privacy 7.3. User Privacy
The IdP is aware of each RP that a user logs into. There is nothing The IdP is aware of each Relying Party that a user logs into. There
in the protocol to hide this information from the IdP. It is not a is nothing in the protocol to hide this information from the IdP. It
requirement to track the visits, but there is nothing that prohibits is not a requirement to track the visits, but there is nothing that
the collection of information. SASL servers should be aware that prohibits the collection of information. SASL servers should be
SAML IdPs will track - to some extent - user access to their aware that SAML IdPs will track - to some extent - user access to
services. their services.
7.4. Collusion between RPs 7.4. Collusion between RPs
It is possible for RPs to link data that they have collected on you. It is possible for Relying Parties to link data that they have
By using the same identifier to log into every RP, collusion between collected on you. By using the same identifier to log into every
RPs is possible. In SAML, targeted identity was introduced. Relying Party, collusion between Relying Parties is possible. In
Targeted identity allows the IdP to transform the identifier the user SAML, targeted identity was introduced. Targeted identity allows the
typed in to an opaque identifier. This way the RP would never see IdP to transform the identifier the user typed in to an opaque
the actual user identifier, but a randomly generated identifier. identifier. This way the Relying Party would never see the actual
This is an option the user has to understand and decide to use if the user identifier, but a randomly generated identifier. This is an
IdP is supporting it. option the user has to understand and decide to use if the IdP is
supporting it.
8. IANA Considerations 8. IANA Considerations
The IANA is requested to register the following SASL profile: The IANA is requested to register the following SASL profile:
SASL mechanism profile: SAML20 SASL mechanism profile: SAML20
Security Considerations: See this document Security Considerations: See this document
Published Specification: See this document Published Specification: See this document
skipping to change at page 22, line 22 skipping to change at page 25, line 22
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010. GS2 Mechanism Family", RFC 5801, July 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
[W3C.REC-html401-19991224] [W3C.REC-html401-19991224]
Raggett, D., Jacobs, I., and A. Hors, "HTML 4.01 Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01
Specification", World Wide Web Consortium Specification", World Wide Web Consortium
Recommendation REC-html401-19991224, December 1999, Recommendation REC-html401-19991224, December 1999,
<http://www.w3.org/TR/1999/REC-html401-19991224>. <http://www.w3.org/TR/1999/REC-html401-19991224>.
9.2. Informative References 9.2. Informative References
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996. STD 53, RFC 1939, May 1996.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
skipping to change at page 24, line 9 skipping to change at page 27, line 9
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank
Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their
review and contributions. review and contributions.
Appendix B. Changes Appendix B. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
o 06 Fixed text per AD comments
o 05 Fixed references per ID-nits o 05 Fixed references per ID-nits
o 04 Added request for IANA assignment, few text clarifications o 04 Added request for IANA assignment, few text clarifications
o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov
o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos
o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott
Cantor Cantor
 End of changes. 38 change blocks. 
124 lines changed or deleted 150 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/