draft-ietf-kitten-sasl-saml-06.txt   draft-ietf-kitten-sasl-saml-07.txt 
Network Working Group K. Wierenga Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear Intended status: Standards Track E. Lear
Expires: June 23, 2012 Cisco Systems GmbH Expires: July 8, 2012 Cisco Systems GmbH
S. Josefsson S. Josefsson
SJD AB SJD AB
December 21, 2011 January 5, 2012
A SASL and GSS-API Mechanism for SAML A SASL and GSS-API Mechanism for SAML
draft-ietf-kitten-sasl-saml-06.txt draft-ietf-kitten-sasl-saml-07.txt
Abstract Abstract
Security Assertion Markup Language (SAML) has found its usage on the Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to generalize Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API. Identity Providers with applications using SASL and GSS-API.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 23, 2012. This Internet-Draft will expire on July 8, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 10, line 12 skipping to change at page 10, line 12
to the IdP (corresponding to the domain the user provided), with a to the IdP (corresponding to the domain the user provided), with a
SAML authentication request as one of the parameters (message 3 in SAML authentication request as one of the parameters (message 3 in
Figure 2). Figure 2).
Note: The SASL server may have a static mapping of domain to Note: The SASL server may have a static mapping of domain to
corresponding IdP or alternatively a DNS-lookup mechanism could be corresponding IdP or alternatively a DNS-lookup mechanism could be
envisioned, but that is out-of-scope for this document. envisioned, but that is out-of-scope for this document.
Note: While the SASL client MAY sanity check the URI it received, Note: While the SASL client MAY sanity check the URI it received,
ultimately it is the SAML IdP that will be validated by the SAML ultimately it is the SAML IdP that will be validated by the SAML
client out-of-scope for this document.. client which is out-of-scope for this document.
authentication-request = URI authentication-request = URI
URI is specified in [RFC3986] and is encoded according to Section 3.4 URI is specified in [RFC3986] and is encoded according to Section 3.4
(HTTP Redirect) of the SAML bindings 2.0 specification (HTTP Redirect) of the SAML bindings 2.0 specification
[OASIS.saml-bindings-2.0-os]. The SAML authentication request is [OASIS.saml-bindings-2.0-os]. The SAML authentication request is
encoded according to Section 3.4 (Authentication Request) of the SAML encoded according to Section 3.4 (Authentication Request) of the SAML
core 2.0 specification [OASIS.saml-core-2.0-os]. core 2.0 specification [OASIS.saml-core-2.0-os].
The client now sends the authentication request via an HTTP GET (sent The client now sends the authentication request via an HTTP GET (sent
skipping to change at page 12, line 15 skipping to change at page 12, line 15
4. SAML GSS-API Mechanism Specification 4. SAML GSS-API Mechanism Specification
This section and its sub-sections and appropriate references of it This section and its sub-sections and appropriate references of it
not referenced elsewhere in this document are not required for SASL not referenced elsewhere in this document are not required for SASL
implementors, but this section MUST be observed to implement the GSS- implementors, but this section MUST be observed to implement the GSS-
API mechanism discussed below. API mechanism discussed below.
The SAML SASL mechanism is actually also a GSS-API mechanism. The The SAML SASL mechanism is actually also a GSS-API mechanism. The
SAML user takes the role of the GSS-API Initiator and the SAML SAML user takes the role of the GSS-API Initiator and the SAML
Relying Party takes the role of the GSS-API Acceptor. The SAML Relying Party takes the role of the GSS-API Acceptor. The SAML
Idenity Provider does not have a role in GSS-API, and is considered Identity Provider does not have a role in GSS-API, and is considered
an internal matter for the OpenID mechanism.The messages are the an internal matter for the SAML mechanism.The messages are the same,
same, but but
a) the GS2 header on the client's first message and channel binding a) the GS2 header on the client's first message and channel binding
data is excluded when SAML is used as a GSS-API mechanism, and data is excluded when SAML is used as a GSS-API mechanism, and
b) the RFC2743 section 3.1 initial context token header is prefixed b) the RFC2743 section 3.1 initial context token header is prefixed
to the client's first authentication message (context token). to the client's first authentication message (context token).
The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see
IANA considerations). IANA considerations).
skipping to change at page 18, line 39 skipping to change at page 18, line 39
(_bec424fa5103428909a30ff1e31168327f79474984) to correlate the SASL (_bec424fa5103428909a30ff1e31168327f79474984) to correlate the SASL
session with the SAML authentication. session with the SAML authentication.
Step 5 (alt): Server returns error to client: Step 5 (alt): Server returns error to client:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<incorrect-encoding/> <incorrect-encoding/>
</failure> </failure>
</stream:stream> </stream:stream>
Step 6: Client sends a BASE64 encoded empty response to the Step 6: Client sends the empty response to the challenge encoded as a
challenge: single =:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
= =
</response> </response>
[ The client now sends the URL to a browser for processing. The [ The client now sends the URL to a browser for processing. The
browser engages in a normal SAML authentication flow (external to browser engages in a normal SAML authentication flow (external to
SASL), like redirection to the Identity Provider SASL), like redirection to the Identity Provider
(https://saml.example.org), the user logs into (https://saml.example.org), the user logs into
https://saml.example.org, and agrees to authenticate to https://saml.example.org, and agrees to authenticate to
skipping to change at page 24, line 40 skipping to change at page 24, line 40
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms Service Application Program Interface (GSS-API) Mechanisms
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010. GS2 Mechanism Family", RFC 5801, July 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
[W3C.REC-html401-19991224] [W3C.REC-html401-19991224]
Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01 Raggett, D., Jacobs, I., and A. Hors, "HTML 4.01
Specification", World Wide Web Consortium Specification", World Wide Web Consortium
Recommendation REC-html401-19991224, December 1999, Recommendation REC-html401-19991224, December 1999,
<http://www.w3.org/TR/1999/REC-html401-19991224>. <http://www.w3.org/TR/1999/REC-html401-19991224>.
9.2. Informative References 9.2. Informative References
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996. STD 53, RFC 1939, May 1996.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003. 4rev1", RFC 3501, March 2003.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, March 2011. Protocol (XMPP): Core", RFC 6120, March 2011.
Appendix A. Acknowledgments Appendix A. Acknowledgments
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank
Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their
review and contributions. review and contributions.
Appendix B. Changes Appendix B. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
o 07 Fixed text per comments Alexey Melnikov
o 06 Fixed text per AD comments o 06 Fixed text per AD comments
o 05 Fixed references per ID-nits o 05 Fixed references per ID-nits
o 04 Added request for IANA assignment, few text clarifications o 04 Added request for IANA assignment, few text clarifications
o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov
o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos
 End of changes. 14 change blocks. 
17 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/