draft-ietf-kitten-sasl-saml-07.txt   draft-ietf-kitten-sasl-saml-08.txt 
Network Working Group K. Wierenga Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear Intended status: Standards Track E. Lear
Expires: July 8, 2012 Cisco Systems GmbH Expires: July 14, 2012 Cisco Systems GmbH
S. Josefsson S. Josefsson
SJD AB SJD AB
January 5, 2012 January 11, 2012
A SASL and GSS-API Mechanism for SAML A SASL and GSS-API Mechanism for SAML
draft-ietf-kitten-sasl-saml-07.txt draft-ietf-kitten-sasl-saml-08.txt
Abstract Abstract
Security Assertion Markup Language (SAML) has found its usage on the Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to generalize Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API. Identity Providers with applications using SASL and GSS-API.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 8, 2012. This Internet-Draft will expire on July 14, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
2. Authentication flow . . . . . . . . . . . . . . . . . . . . . 6 2. Authentication flow . . . . . . . . . . . . . . . . . . . . . 6
3. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 9 3. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 9
3.1. Initial Response . . . . . . . . . . . . . . . . . . . . . 9 3.1. Initial Response . . . . . . . . . . . . . . . . . . . . . 9
3.2. Authentication Request . . . . . . . . . . . . . . . . . . 9 3.2. Authentication Request . . . . . . . . . . . . . . . . . . 10
3.3. Outcome and parameters . . . . . . . . . . . . . . . . . . 10 3.3. Outcome and parameters . . . . . . . . . . . . . . . . . . 11
4. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 12 4. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 12
4.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 12 4.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 12
5. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 14 5. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 14
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 6.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7. Security Considerations . . . . . . . . . . . . . . . . . . . 22 7. Security Considerations . . . . . . . . . . . . . . . . . . . 24
7.1. Man in the middle and Tunneling Attacks . . . . . . . . . 22 7.1. Man in the middle and Tunneling Attacks . . . . . . . . . 24
7.2. Binding SAML subject identifiers to Authorization 7.2. Binding SAML subject identifiers to Authorization
Identities . . . . . . . . . . . . . . . . . . . . . . . . 22 Identities . . . . . . . . . . . . . . . . . . . . . . . . 24
7.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 22 7.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 24
7.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 22 7.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 24
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 8.1. IANA mech-profile . . . . . . . . . . . . . . . . . . . . 25
9.1. Normative References . . . . . . . . . . . . . . . . . . . 24 8.2. IANA OID . . . . . . . . . . . . . . . . . . . . . . . . . 25
9.2. Informative References . . . . . . . . . . . . . . . . . . 25 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 26 9.1. Normative References . . . . . . . . . . . . . . . . . . . 26
Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 27 9.2. Informative References . . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 28
Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
Security Assertion Markup Language (SAML) 2.0 Security Assertion Markup Language (SAML) 2.0
[OASIS.saml-core-2.0-os] is a modular specification that provides [OASIS.saml-core-2.0-os] is a modular specification that provides
various means for a user to be identified to a relying party (RP) various means for a user to be identified to a relying party (RP)
through the exchange of (typically signed) assertions issued by an through the exchange of (typically signed) assertions issued by an
identity provider (IdP). It includes a number of protocols, protocol identity provider (IdP). It includes a number of protocols, protocol
bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles
[OASIS.saml-profiles-2.0-os] designed for different use cases. [OASIS.saml-profiles-2.0-os] designed for different use cases.
skipping to change at page 4, line 38 skipping to change at page 4, line 38
Figure 1: Interworking Architecture Figure 1: Interworking Architecture
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
The reader is assumed to be familiar with the terms used in the SAML The reader is assumed to be familiar with the terms used in the SAML
2.0 specification. 2.0 specification [OASIS.saml-core-2.0-os].
1.2. Applicability 1.2. Applicability
Because this mechanism transports information that should not be Because this mechanism transports information that should not be
controlled by an attacker, the SAML mechanism MUST only be used over controlled by an attacker, the SAML mechanism MUST only be used over
channels protected by TLS, and the client MUST successfully validate channels protected by TLS, and the client MUST successfully validate
the server certificate, or similar integrity protected and the server certificate, or over similar integrity protected and
authenticated channels. [RFC5280][RFC6125] authenticated channels. [RFC5280][RFC6125]
Note: An Intranet does not constitute such an integrity protected and Note: An Intranet does not constitute such an integrity protected and
authenticated channel! authenticated channel!
2. Authentication flow 2. Authentication flow
While SAML itself is merely a markup language, its common use case While SAML itself is merely a markup language, its common use case
these days is with HTTP [RFC2616] or HTTPs [RFC2818] and HTML these days is with HTTP [RFC2616] or HTTPs [RFC2818] and HTML
[W3C.REC-html401-19991224]. What follows is a typical flow: [W3C.REC-html401-19991224]. What follows is a typical flow:
skipping to change at page 6, line 23 skipping to change at page 6, line 23
2. The Relying Party redirects the browser via an HTTP redirect (as 2. The Relying Party redirects the browser via an HTTP redirect (as
described in Section 10.3 of [RFC2616]) to the Identity Provider described in Section 10.3 of [RFC2616]) to the Identity Provider
(IdP) or an IdP discovery service with as parameters an (IdP) or an IdP discovery service with as parameters an
authentication request that contains the name of resource being authentication request that contains the name of resource being
requested, a browser cookie and a return URL as specified in requested, a browser cookie and a return URL as specified in
Section 3.1 of the SAML profiles 2.0 specification Section 3.1 of the SAML profiles 2.0 specification
[OASIS.saml-profiles-2.0-os]. [OASIS.saml-profiles-2.0-os].
3. The user authenticates to the IdP and perhaps authorizes the 3. The user authenticates to the IdP and perhaps authorizes the
authentication to the service provider. authentication to the Relying Party.
4. In its authentication response, the IdP redirects (via an HTTP 4. In its authentication response, the IdP redirects (via an HTTP
redirect) the browser back to the RP with an authentication redirect) the browser back to the RP with an authentication
assertion (stating that the IdP vouches that the subject has assertion (stating that the IdP vouches that the subject has
successfully authenticated), optionally along with some successfully authenticated), optionally along with some
additional attributes. additional attributes.
5. The Relying Party now has sufficient identity information to 5. The Relying Party now has sufficient identity information to
approve access to the resource or not, and acts accordingly. The approve access to the resource or not, and acts accordingly. The
authentication is concluded. authentication is concluded.
When considering this flow in the context of SASL, we note that while When considering this flow in the context of SASL, we note that while
the Relying Party and the client both must change their code to the Relying Party and the client both must change their code to
implement this SASL mechanism, the IdP can remain untouched. The implement this SASL mechanism, the IdP can remain untouched. The
Relying Party already has some sort of session (probably a TCP Relying Party already has some sort of session (probably a TCP
connection) established with the client. However, it may be connection) established with the client. However, it may be
necessary to redirect a SASL client to another application or necessary to redirect a SASL client to another application or
handler. This will be discussed below. The steps are shown from handler. The steps are as follows:
below:
1. The SASL server (Relying Party) advertises support for the SASL 1. The SASL server (Relying Party) advertises support for the SASL
SAML20 mechanism to the client SAML20 mechanism to the client
2. The client initiates a SASL authentication with SAML20 and sends 2. The client initiates a SASL authentication with SAML20 and sends
a domain name that allows the SASL server to determine the a domain name that allows the SASL server to determine the
appropriate IdP appropriate IdP
3. The SASL server transmits an authentication request encoded using 3. The SASL server transmits an authentication request encoded using
a Universal Resource Identifier (URI) as described in RFC 3986 a Universal Resource Identifier (URI) as described in RFC 3986
skipping to change at page 7, line 39 skipping to change at page 7, line 37
along with an optional list of attributes along with an optional list of attributes
Please note: What is described here is the case in which the client Please note: What is described here is the case in which the client
has not previously authenticated. It is possible that the client has not previously authenticated. It is possible that the client
already holds a valid SAML authentication token so that the user does already holds a valid SAML authentication token so that the user does
not need to be involved in the process anymore, but that would still not need to be involved in the process anymore, but that would still
be external to SASL. This is classic Web Single Sign-On, in which be external to SASL. This is classic Web Single Sign-On, in which
the Web Browser client presents the authentication token (cookie) to the Web Browser client presents the authentication token (cookie) to
the RP without renewed user authentication at the IdP. the RP without renewed user authentication at the IdP.
With all of this in mind, the flow appears as follows: With all of this in mind, the flow appears as follows in Figure 2:
SASL Serv. Client IdP SASL Serv. Client IdP
|>-----(1)----->| | Advertisement |>-----(1)----->| | Advertisement
| | | | | |
|<-----(2)-----<| | Initiation |<-----(2)-----<| | Initiation
| | | | | |
|>-----(3)----->| | Authentication Request |>-----(3)----->| | Authentication Request
| | | | | |
|<-----(4)-----<| | Empty Response |<-----(4)-----<| | Empty Response
| | | | | |
| |< - - - - - ->| Client<>IDP | |< - -(5,6) - ->| Client<>IDP
| | | Authentication | | | Authentication (5,6)
| | | | | |
|<- - - - - - - - - - - - - - -| Authentication Statement |<- - - - - - - - - - -(7)- - -| Authentication Statement
| | | | | |
|>-----(5)----->| | SASL completion with |>-----(8)----->| | SASL completion with
| | | status | | | status
| | | | | |
----- = SASL ----- = SASL
- - - = HTTP or HTTPs (external to SASL) - - - = HTTP or HTTPs (external to SASL)
Figure 2: Authentication flow Figure 2: Authentication flow
3. SAML SASL Mechanism Specification 3. SAML SASL Mechanism Specification
This section specifies the details of the SAML SASL mechanism. This section specifies the details of the SAML SASL mechanism. See
Recall section 5 of [RFC4422] for what needs to be described here. section 5 of [RFC4422] for what needs to be described here.
The name of this mechanism "SAML20". The mechanism is capable of The name of this mechanism is "SAML20". The mechanism is capable of
transferring an authorization identity (via "gs2-header"). The transferring an authorization identity (via the "gs2-header"). The
mechanism does not offer a security layer. mechanism does not offer a security layer.
The mechanism is client-first. The first mechanism message from the The mechanism is client-first. The first mechanism message from the
client to the server is the "initial-response" described below. As client to the server is the "initial-response". As described in
described in [RFC4422], if the application protocol does not support [RFC4422], if the application protocol does not support sending a
sending a client-response together with the authentication request, client-response together with the authentication request, the server
the server will send an empty server-challenge to let the client will send an empty server-challenge to let the client begin.
begin.
The second mechanism message is from the server to the client, the The second mechanism message is from the server to the client,
"authentication-request" described below. containing the SAML "authentication-request".
The third mechanism message is from client to the server, and is the The third mechanism message is from client to the server, and is the
fixed message consisting of "=". fixed message consisting of "=".
The fourth mechanism message is from the server to the client, The fourth mechanism message is from the server to the client,
indicating the SASL mechanism outcome described below. indicating the SASL mechanism outcome.
3.1. Initial Response 3.1. Initial Response
A client initiates a "SAML20" authentication with SASL by sending the A client initiates a "SAML20" authentication with SASL by sending the
GS2 header followed by the authentication identifier (message 2 in GS2 header followed by the authentication identifier (message 2 in
Figure 2). The GS2 header carries the optional authorization Figure 2) and is defined as follows:
identity.
initial-response = gs2-header Idp-Identifier initial-response = gs2-header Idp-Identifier
IdP-Identifier = domain ; domain name with corresponding IdP IdP-Identifier = domain ; domain name with corresponding IdP
The "gs2-header" is specified in [RFC5801], and it is used as The "gs2-header" carries the optional authorization identity as
follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the specified in [RFC5801], and it is used as follows:
channel binding "gs2-cb-flag" field, see Section 5. The "gs2-
authzid" carries the optional authorization identity. Domain name is
specified in [RFC1035].
3.2. Authentication Request - The "gs2-nonstd-flag" MUST NOT be present.
The SASL Server transmits to the SASL client a URI that (re)directs - See Section 5 for the channel binding "gs2-cb-flag" field.
to the IdP (corresponding to the domain the user provided), with a
SAML authentication request as one of the parameters (message 3 in
Figure 2).
Note: The SASL server may have a static mapping of domain to - The "gs2-authzid" carries the optional authorization identity.
corresponding IdP or alternatively a DNS-lookup mechanism could be
envisioned, but that is out-of-scope for this document.
Note: While the SASL client MAY sanity check the URI it received, Domain name is specified in [RFC1035].
ultimately it is the SAML IdP that will be validated by the SAML
client which is out-of-scope for this document. 3.2. Authentication Request
The SASL Server transmits to the SASL client a URI that redirects the
SAML client to the IdP (corresponding to the domain the user
provided), with a SAML authentication request as one of the
parameters (message 3 in Figure 2) in the following way:
authentication-request = URI authentication-request = URI
URI is specified in [RFC3986] and is encoded according to Section 3.4 URI is specified in [RFC3986] and is encoded according to Section 3.4
(HTTP Redirect) of the SAML bindings 2.0 specification (HTTP Redirect) of the SAML bindings 2.0 specification
[OASIS.saml-bindings-2.0-os]. The SAML authentication request is [OASIS.saml-bindings-2.0-os]. The SAML authentication request is
encoded according to Section 3.4 (Authentication Request) of the SAML encoded according to Section 3.4 (Authentication Request) of the SAML
core 2.0 specification [OASIS.saml-core-2.0-os]. core 2.0 specification [OASIS.saml-core-2.0-os].
The client now sends the authentication request via an HTTP GET (sent Note: The SASL server may have a static mapping of domain to
over a server-authenticated TLS channel) to the IdP, as if redirected corresponding IdP or alternatively a DNS-lookup mechanism could be
to do so from an HTTP server and in accordance with the Web Browser envisioned, but that is out-of-scope for this document.
SSO profile, as described in section 3.1 of SAML profiles 2.0
specification [OASIS.saml-profiles-2.0-os] Note: While the SASL client MAY sanity check the URI it received,
ultimately it is the SAML IdP that will be validated by the SAML
client which is out-of-scope for this document.
The client then sends the authentication request via an HTTP GET
(sent over a server-authenticated TLS channel) to the IdP, as if
redirected to do so from an HTTP server and in accordance with the
Web Browser SSO profile, as described in section 3.1 of SAML profiles
2.0 specification [OASIS.saml-profiles-2.0-os] (message 5 and 6 in
Figure 2).
The client handles both user authentication to the IdP and The client handles both user authentication to the IdP and
confirmation or rejection of the authentiation of the RP (out-of- confirmation or rejection of the authentiation of the RP (out-of-
scope for this document). scope for this document).
After all authentication has been completed by the IdP, the IdP will After all authentication has been completed by the IdP, the IdP will
send a redirect message to the client in the form of a URI send a redirect message to the client in the form of a URI
corresponding to the Relying Party as specified in the authentication corresponding to the Relying Party as specified in the authentication
request ("AssertionConsumerServiceURL") and with the SAML response as request ("AssertionConsumerServiceURL") and with the SAML response as
one of the parameters. one of the parameters (message 7 in Figure 2).
Please note: this means that the SASL server needs to implement a Please note: this means that the SASL server needs to implement a
SAML Relying Party. Also, the SASL server needs to correlate the TCP SAML Relying Party. Also, the SASL server needs to correlate the TCP
session from the SASL client with the SAML authentication. session from the SASL client with the SAML authentication by
comparing the ID of the SAML request with that in the response.
3.3. Outcome and parameters 3.3. Outcome and parameters
The SASL server now validates the response it received from the The SASL server now validates the response it received from the
client via HTTP or HTTPS, as specified in the SAML specification client via HTTP or HTTPS, as specified in the SAML specification
The response by the SASL server constitutes a SASL mechanism outcome, The response by the SASL server constitutes a SASL mechanism outcome,
and SHALL be used to set state in the server accordingly, and it and MUST be used to set state in the server accordingly, and it MUST
shall be used by the server to report that state to the SASL client be used by the server to report that state to the SASL client as
as described in [RFC4422] Section 3.6 (message 5 in Figure 2). described in [RFC4422] Section 3.6 (message 8 in Figure 2).
4. SAML GSS-API Mechanism Specification 4. SAML GSS-API Mechanism Specification
This section and its sub-sections and appropriate references of it This section, its sub-sections and appropriate references of it not
not referenced elsewhere in this document are not required for SASL referenced elsewhere in this document, are not required for SASL
implementors, but this section MUST be observed to implement the GSS- implementors, but this section MUST be observed to implement the GSS-
API mechanism discussed below. API mechanism discussed below.
The SAML SASL mechanism is actually also a GSS-API mechanism. The The SAML SASL mechanism is actually also a GSS-API mechanism. The
SAML user takes the role of the GSS-API Initiator and the SAML SAML user takes the role of the GSS-API Initiator and the SAML
Relying Party takes the role of the GSS-API Acceptor. The SAML Relying Party takes the role of the GSS-API Acceptor. The SAML
Identity Provider does not have a role in GSS-API, and is considered Identity Provider does not have a role in GSS-API, and is considered
an internal matter for the SAML mechanism.The messages are the same, an internal matter for the SAML mechanism. The messages are the
but same, but
a) the GS2 header on the client's first message and channel binding a) the GS2 header on the client's first message and channel binding
data is excluded when SAML is used as a GSS-API mechanism, and data is excluded when SAML is used as a GSS-API mechanism, and
b) the RFC2743 section 3.1 initial context token header is prefixed b) the RFC2743 section 3.1 initial context token header is prefixed
to the client's first authentication message (context token). to the client's first authentication message (context token).
The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see
IANA considerations). IANA considerations).
skipping to change at page 14, line 7 skipping to change at page 14, line 7
supports only a single name type for initiators: GSS_C_NT_USER_NAME. supports only a single name type for initiators: GSS_C_NT_USER_NAME.
GSS_C_NT_USER_NAME is the default name type for SAML. The query, GSS_C_NT_USER_NAME is the default name type for SAML. The query,
display, and exported name syntaxes for SAML principal names are all display, and exported name syntaxes for SAML principal names are all
the same. There are no SAML-specific name syntaxes -- applications the same. There are no SAML-specific name syntaxes -- applications
should use generic GSS-API name types such as GSS_C_NT_USER_NAME and should use generic GSS-API name types such as GSS_C_NT_USER_NAME and
GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported
name token does, of course, conform to [RFC2743], Section 3.2. name token does, of course, conform to [RFC2743], Section 3.2.
5. Channel Binding 5. Channel Binding
The "gs2-cb-flag" MUST use "n" because channel binding data cannot be The "gs2-cb-flag" MUST be set to "n" because channel binding data
integrity protected by the SAML negotiation. cannot be integrity protected by the SAML negotiation.
Note: In theory channel binding data could be inserted in the SAML Note: In theory channel binding data could be inserted in the SAML
flow by the client and verified by the server, but that is currently flow by the client and verified by the server, but that is currently
not supported in SAML. not supported in SAML.
6. Examples 6. Examples
6.1. XMPP 6.1. XMPP
Suppose the user has an identity at the SAML IdP saml.example.org and Suppose the user has an identity at the SAML IdP saml.example.org and
skipping to change at page 18, line 32 skipping to change at page 18, line 32
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef> </saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext> </samlp:RequestedAuthnContext>
</samlp:AuthnRequest> </samlp:AuthnRequest>
Note: the server can use the request ID Note: the server can use the request ID
(_bec424fa5103428909a30ff1e31168327f79474984) to correlate the SASL (_bec424fa5103428909a30ff1e31168327f79474984) to correlate the SASL
session with the SAML authentication. session with the SAML authentication.
Step 5 (alt): Server returns error to client: Step 5 (alternative): Server returns error to client if no SAML
Authentication Request can be constructed:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<incorrect-encoding/> <incorrect-encoding/>
</failure> </failure>
</stream:stream> </stream:stream>
Step 6: Client sends the empty response to the challenge encoded as a Step 6: Client sends the empty response to the challenge encoded as a
single =: single =:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
= =
</response> </response>
[ The client now sends the URL to a browser for processing. The [ The client now sends the URL to a browser instance for processing.
browser engages in a normal SAML authentication flow (external to
The browser engages in a normal SAML authentication flow (external to
SASL), like redirection to the Identity Provider SASL), like redirection to the Identity Provider
(https://saml.example.org), the user logs into (https://saml.example.org), the user logs into
https://saml.example.org, and agrees to authenticate to https://saml.example.org, and agrees to authenticate to
xmpp.example.com. A redirect is passed back to the client browser xmpp.example.com. A redirect is passed back to the client browser
who sends the AuthN response to the server, containing the subject- who sends the AuthN response to the server, containing the subject-
identifier as an attribute. If the AuthN response doesn't contain identifier as an attribute. If the AuthN response doesn't contain
the JID, the server maps the subject-identifier received from the IdP the JID, the server maps the subject-identifier received from the IdP
to a JID] to a JID]
Step 7: Server informs client of successful authentication: Step 7: Server informs client of successful authentication:
skipping to change at page 22, line 4 skipping to change at page 22, line 4
ZFhSb2JrTnZiblJsZUhSRGJHRnpjMUpsWmcwS0lDQWdJQ0FnZUcxc2JuTTZj ZFhSb2JrTnZiblJsZUhSRGJHRnpjMUpsWmcwS0lDQWdJQ0FnZUcxc2JuTTZj
MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t
RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN
NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5 NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5
YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi
MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX
UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW
bGMzUSs= bGMzUSs=
C: C:
S: . OK Success (tls protection) S: . OK Success (tls protection)
The decoded challenge is:
https://saml.example.org/SAML/Browser?SAMLRequest=PHNhbWxwOk
F1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOl
NBTUw6Mi4wOnByb3RvY29sIg0KICAgIElEPSJfYmVjNDI0ZmE1MTAzNDI4OT
A5YTMwZmYxZTMxMTY4MzI3Zjc5NDc0OTg0IiBWZXJzaW9uPSIyLjAiDQogIC
AgSXNzdWVJbnN0YW50PSIyMDA3LTEyLTEwVDExOjM5OjM0WiIgRm9yY2VBdX
Robj0iZmFsc2UiDQogICAgSXNQYXNzaXZlPSJmYWxzZSINCiAgICBQcm90b2
NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW
5nczpIVFRQLVBPU1QiDQogICAgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVV
JMPQ0KICAgICAgICAiaHR0cHM6Ly94bXBwLmV4YW1wbGUuY29tL1NBTUwvQX
NzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4NCiA8c2FtbDpJc3N1ZXIgeG1sbn
M6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbi
I+DQogICAgIGh0dHBzOi8veG1wcC5leGFtcGxlLmNvbQ0KIDwvc2FtbDpJc3
N1ZXI+DQogPHNhbWxwOk5hbWVJRFBvbGljeSB4bWxuczpzYW1scD0idXJuOm
9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIg0KICAgICBGb3JtYX
Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0On
BlcnNpc3RlbnQiDQogICAgIFNQTmFtZVF1YWxpZmllcj0ieG1wcC5leGFtcG
xlLmNvbSIgQWxsb3dDcmVhdGU9InRydWUiIC8+DQogPHNhbWxwOlJlcXVlc3
RlZEF1dGhuQ29udGV4dA0KICAgICB4bWxuczpzYW1scD0idXJuOm9hc2lzOm
5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiANCiAgICAgICAgQ29tcGFyaX
Nvbj0iZXhhY3QiPg0KICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZg0KIC
AgICAgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm
Fzc2VydGlvbiI+DQogICAgICAgICAgIHVybjpvYXNpczpuYW1lczp0YzpTQU
1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0DQ
ogIDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiA8L3NhbWxwOlJlcX
Vlc3RlZEF1dGhuQ29udGV4dD4gDQo8L3NhbWxwOkF1dGhuUmVxdWVzdD4=
Where the decoded SAMLRequest looks like:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0"
IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false"
IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL=
"https://xmpp.example.com/SAML/AssertionConsumerService">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xmpp.example.com
</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="xmpp.example.com" AllowCreate="true" />
<samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact">
<saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
7. Security Considerations 7. Security Considerations
This section will address only security considerations associated This section addresses only security considerations associated with
with the use of SAML with SASL applications. For considerations the use of SAML with SASL applications. For considerations relating
relating to SAML in general, the reader is referred to the SAML to SAML in general, the reader is referred to the SAML specification
specification and to other literature. Similarly, for general SASL and to other literature. Similarly, for general SASL Security
Security Considerations, the reader is referred to that Considerations, the reader is referred to that specification.
specification.
7.1. Man in the middle and Tunneling Attacks 7.1. Man in the middle and Tunneling Attacks
This mechanism is vulnerable to man-in-the-middle and tunneling This mechanism is vulnerable to man-in-the-middle and tunneling
attacks unless a client always verify the server identity before attacks unless a client always verifies the server identity before
proceeding with authentication (see [RFC6125]). Typically TLS is proceeding with authentication (see [RFC6125]). Typically TLS is
used to provide a secure channel with server authentication. used to provide a secure channel with server authentication.
7.2. Binding SAML subject identifiers to Authorization Identities 7.2. Binding SAML subject identifiers to Authorization Identities
As specified in [RFC4422], the server is responsible for binding As specified in [RFC4422], the server is responsible for binding
credentials to a specific authorization identity. It is therefore credentials to a specific authorization identity. It is therefore
necessary that only specific trusted IdPs be allowed. This is necessary that only specific trusted IdPs be allowed. This is
typical part of SAML trust establishment between Relying Parties and typical part of SAML trust establishment between Relying Parties and
IdP. IdP.
7.3. User Privacy 7.3. User Privacy
The IdP is aware of each Relying Party that a user logs into. There The IdP is aware of each Relying Party that a user logs into. There
is nothing in the protocol to hide this information from the IdP. It is nothing in the protocol to hide this information from the IdP. It
is not a requirement to track the visits, but there is nothing that is not a requirement to track the visits, but there is nothing that
prohibits the collection of information. SASL servers should be prohibits the collection of information. SASL server implementers
aware that SAML IdPs will track - to some extent - user access to should be aware that SAML IdPs will be able to track - to some extent
their services. - user access to their services.
7.4. Collusion between RPs 7.4. Collusion between RPs
It is possible for Relying Parties to link data that they have It is possible for Relying Parties to link data that they have
collected on you. By using the same identifier to log into every collected on the users. By using the same identifier to log into
Relying Party, collusion between Relying Parties is possible. In every Relying Party, collusion between Relying Parties is possible.
SAML, targeted identity was introduced. Targeted identity allows the In SAML, targeted identity was introduced. Targeted identity allows
IdP to transform the identifier the user typed in to an opaque the IdP to transform the identifier the user typed in to an opaque
identifier. This way the Relying Party would never see the actual identifier. This way the Relying Party would never see the actual
user identifier, but a randomly generated identifier. This is an user identifier, but a randomly generated identifier.
option the user has to understand and decide to use if the IdP is
supporting it.
8. IANA Considerations 8. IANA Considerations
8.1. IANA mech-profile
The IANA is requested to register the following SASL profile: The IANA is requested to register the following SASL profile:
SASL mechanism profile: SAML20 SASL mechanism profile: SAML20
Security Considerations: See this document Security Considerations: See this document
Published Specification: See this document Published Specification: See this document
For further information: Contact the authors of this document. For further information: Contact the authors of this document.
Owner/Change controller: the IETF Owner/Change controller: the IETF
Note: None Note: None
8.2. IANA OID
The IANA is further requested to assign an OID for this GSS mechanism The IANA is further requested to assign an OID for this GSS mechanism
in the SMI numbers registry, with the prefix of in the SMI numbers registry, with the prefix of
iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to
reference this specification in the registry. reference this specification in the registry.
9. References 9. References
9.1. Normative References 9.1. Normative References
[OASIS.saml-bindings-2.0-os] [OASIS.saml-bindings-2.0-os]
skipping to change at page 27, line 9 skipping to change at page 29, line 9
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank
Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their
review and contributions. review and contributions.
Appendix B. Changes Appendix B. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
o 08 Fixed text per Gen-Art review
o 07 Fixed text per comments Alexey Melnikov o 07 Fixed text per comments Alexey Melnikov
o 06 Fixed text per AD comments o 06 Fixed text per AD comments
o 05 Fixed references per ID-nits o 05 Fixed references per ID-nits
o 04 Added request for IANA assignment, few text clarifications o 04 Added request for IANA assignment, few text clarifications
o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov
 End of changes. 44 change blocks. 
94 lines changed or deleted 157 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/