draft-ietf-kitten-sasl-saml-08.txt   draft-ietf-kitten-sasl-saml-09.txt 
Network Working Group K. Wierenga Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear Intended status: Standards Track E. Lear
Expires: July 14, 2012 Cisco Systems GmbH Expires: August 23, 2012 Cisco Systems GmbH
S. Josefsson S. Josefsson
SJD AB SJD AB
January 11, 2012 February 20, 2012
A SASL and GSS-API Mechanism for SAML A SASL and GSS-API Mechanism for SAML
draft-ietf-kitten-sasl-saml-08.txt draft-ietf-kitten-sasl-saml-09.txt
Abstract Abstract
Security Assertion Markup Language (SAML) has found its usage on the Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to generalize Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API. Identity Providers with applications using SASL and GSS-API.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 14, 2012. This Internet-Draft will expire on August 23, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
2. Authentication flow . . . . . . . . . . . . . . . . . . . . . 6 2. Authentication flow . . . . . . . . . . . . . . . . . . . . . 6
3. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 9 3. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 9
3.1. Initial Response . . . . . . . . . . . . . . . . . . . . . 9 3.1. Initial Response . . . . . . . . . . . . . . . . . . . . . 9
3.2. Authentication Request . . . . . . . . . . . . . . . . . . 10 3.2. Authentication Request . . . . . . . . . . . . . . . . . . 10
3.3. Outcome and parameters . . . . . . . . . . . . . . . . . . 11 3.3. Outcome and parameters . . . . . . . . . . . . . . . . . . 11
4. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 12 4. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 12
4.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 12 4.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 13
5. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 14 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22
7. Security Considerations . . . . . . . . . . . . . . . . . . . 24 6.1. Man in the middle and Tunneling Attacks . . . . . . . . . 22
7.1. Man in the middle and Tunneling Attacks . . . . . . . . . 24 6.2. Binding SAML subject identifiers to Authorization
7.2. Binding SAML subject identifiers to Authorization Identities . . . . . . . . . . . . . . . . . . . . . . . . 22
Identities . . . . . . . . . . . . . . . . . . . . . . . . 24 6.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 22
7.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 24 6.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 22
7.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 24 6.5. GSS-API specific security considerations . . . . . . . . . 22
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
8.1. IANA mech-profile . . . . . . . . . . . . . . . . . . . . 25 7.1. IANA mech-profile . . . . . . . . . . . . . . . . . . . . 24
8.2. IANA OID . . . . . . . . . . . . . . . . . . . . . . . . . 25 7.2. IANA OID . . . . . . . . . . . . . . . . . . . . . . . . . 24
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
9.1. Normative References . . . . . . . . . . . . . . . . . . . 26 8.1. Normative References . . . . . . . . . . . . . . . . . . . 25
9.2. Informative References . . . . . . . . . . . . . . . . . . 27 8.2. Informative References . . . . . . . . . . . . . . . . . . 26
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 28 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 28
Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 29 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
Security Assertion Markup Language (SAML) 2.0 Security Assertion Markup Language (SAML) 2.0
[OASIS.saml-core-2.0-os] is a modular specification that provides [OASIS.saml-core-2.0-os] is a set of specifications that provide
various means for a user to be identified to a relying party (RP) various means for a user to be identified to a relying party (RP)
through the exchange of (typically signed) assertions issued by an through the exchange of (typically signed) assertions issued by an
identity provider (IdP). It includes a number of protocols, protocol identity provider (IdP). It includes a number of protocols, protocol
bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles
[OASIS.saml-profiles-2.0-os] designed for different use cases. [OASIS.saml-profiles-2.0-os] designed for different use cases.
Simple Authentication and Security Layer (SASL) [RFC4422] is a Simple Authentication and Security Layer (SASL) [RFC4422] is a
generalized mechanism for identifying and authenticating a user and generalized mechanism for identifying and authenticating a user and
for optionally negotiating a security layer for subsequent protocol for optionally negotiating a security layer for subsequent protocol
interactions. SASL is used by application protocols like IMAP interactions. SASL is used by application protocols like IMAP
skipping to change at page 3, line 33 skipping to change at page 3, line 33
The Generic Security Service Application Program Interface (GSS-API) The Generic Security Service Application Program Interface (GSS-API)
[RFC2743] provides a framework for applications to support multiple [RFC2743] provides a framework for applications to support multiple
authentication mechanisms through a unified programming interface. authentication mechanisms through a unified programming interface.
This document defines a pure SASL mechanism for SAML, but it conforms This document defines a pure SASL mechanism for SAML, but it conforms
to the new bridge between SASL and the GSS-API called GS2 [RFC5801]. to the new bridge between SASL and the GSS-API called GS2 [RFC5801].
This means that this document defines both a SASL mechanism and a This means that this document defines both a SASL mechanism and a
GSS-API mechanism. The GSS-API interface is OPTIONAL for SASL GSS-API mechanism. The GSS-API interface is OPTIONAL for SASL
implementers, and the GSS-API considerations can be avoided in implementers, and the GSS-API considerations can be avoided in
environments that use SASL directly without GSS-API. environments that use SASL directly without GSS-API.
As currently envisioned, this mechanism is to allow the interworking As currently envisioned, this mechanism enables interworking between
between SASL and SAML in order to assert identity and other SASL and SAML in order to assert the identity of the user and other
attributes to relying parties. As such, while servers (as relying attributes to relying parties. As such, while servers (as relying
parties) will advertise SASL mechanisms (including SAML), clients parties) will advertise SASL mechanisms (including SAML), clients
will select the SAML SASL mechanism as their SASL mechanism of will select the SAML SASL mechanism as their SASL mechanism of
choice. choice.
The SAML mechanism described in this memo aims to re-use the Web The SAML mechanism described in this memo aims to re-use the Web
Browser SSO profile defined in section 3.1 of the SAML profiles 2.0 Browser SSO profile defined in section 4.1 of the SAML profiles 2.0
specification [OASIS.saml-profiles-2.0-os] to the maximum extent and specification [OASIS.saml-profiles-2.0-os] to the maximum extent and
therefore does not establish a separate authentication, integrity and therefore does not establish a separate authentication, integrity and
confidentiality mechanism. The mechanism assumes a security layer, confidentiality mechanism. The mechanism assumes a security layer,
such as Transport Layer Security (TLS [RFC5246]), will continue to be such as Transport Layer Security (TLS [RFC5246]), will continue to be
used. This specification is appropriate for use when a browser is used. This specification is appropriate for use when a browser
available. instance is available. In the absence of a browser instance, SAML
profiles that don't require a browser such as the Enhanced Client or
Proxy profile (as defined in section 4.2 of the SAML profiles 2.0
specification [OASIS.saml-profiles-2.0-os] may be used, but that is
outside the scope of this specification.
Figure 1 describes the interworking between SAML and SASL: this Figure 1 describes the interworking between SAML and SASL: this
document requires enhancements to the Relying Party (the SASL server) document requires enhancements to the Relying Party (the SASL server)
and to the Client, as the two SASL communication end points, but no and to the Client, as the two SASL communication end points, but no
changes to the SAML Identity Provider are necessary. To accomplish changes to the SAML Identity Provider are necessary. To accomplish
this goal some indirect messaging is tunneled within SASL, and some this goal some indirect messaging is tunneled within SASL, and some
use of external methods is made. use of external methods is made.
+-----------+ +-----------+
| | | |
>| Relying | >| Relying |
/ | Party | / | Party |
// | | // | |
// +-----------+ // +-----------+
SAML/ // ^ SAML/ // ^
HTTPs // +--|--+ HTTPS // +--|--+
// | S| | // | S| |
/ S | A| | / S | A| |
// A | M| | // A | M| |
// S | L| | // S | L| |
// L | | | // L | | |
// | | | // | | |
</ +--|--+ </ +--|--+
+------------+ v +------------+ v
| | +----------+ | | +----------+
| SAML | HTTPs | | | SAML | HTTPS | |
| Identity |<--------------->| Client | | Identity |<--------------->| Client |
| Provider | | | | Provider | | |
+------------+ +----------+ +------------+ +----------+
Figure 1: Interworking Architecture Figure 1: Interworking Architecture
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
The reader is assumed to be familiar with the terms used in the SAML The reader is assumed to be familiar with the terms used in the SAML
2.0 specification [OASIS.saml-core-2.0-os]. 2.0 specification [OASIS.saml-core-2.0-os].
1.2. Applicability 1.2. Applicability
Because this mechanism transports information that should not be Because this mechanism transports information that should not be
controlled by an attacker, the SAML mechanism MUST only be used over controlled by an attacker, the SAML mechanism MUST only be used over
channels protected by TLS, and the client MUST successfully validate channels protected by TLS, or over similar integrity protected and
the server certificate, or over similar integrity protected and authenticated channels. In addition, when TLS is used the client
authenticated channels. [RFC5280][RFC6125] MUST successfully validate the server certificate ([RFC5280],
[RFC6125])
Note: An Intranet does not constitute such an integrity protected and Note: An Intranet does not constitute such an integrity protected and
authenticated channel! authenticated channel!
2. Authentication flow 2. Authentication flow
While SAML itself is merely a markup language, its common use case While SAML itself is merely a markup language, its common use case
these days is with HTTP [RFC2616] or HTTPs [RFC2818] and HTML these days is with HTTP [RFC2616] or HTTPS [RFC2818] and HTML
[W3C.REC-html401-19991224]. What follows is a typical flow: [W3C.REC-html401-19991224]. What follows is a typical flow:
1. The browser requests a resource of a Relying Party (RP) (via an 1. The browser requests a resource of a Relying Party (RP) (via an
HTTP request). HTTP request).
2. The Relying Party redirects the browser via an HTTP redirect (as 2. The Relying Party redirects the browser via an HTTP redirect (as
described in Section 10.3 of [RFC2616]) to the Identity Provider described in Section 10.3 of [RFC2616]) to the Identity Provider
(IdP) or an IdP discovery service with as parameters an (IdP) or an IdP discovery service. When it does so, it includes
authentication request that contains the name of resource being the following parameters: (1) an authentication request that
requested, a browser cookie and a return URL as specified in contains the name of resource being requested, (2) a browser
Section 3.1 of the SAML profiles 2.0 specification cookie, and (3) a return URL as specified in Section 3.1 of the
[OASIS.saml-profiles-2.0-os]. SAML profiles 2.0 specification [OASIS.saml-profiles-2.0-os].
3. The user authenticates to the IdP and perhaps authorizes the 3. The user authenticates to the IdP and perhaps authorizes the
authentication to the Relying Party. release of user attributes to the Relying Party.
4. In its authentication response, the IdP redirects (via an HTTP 4. In its authentication response, the IdP redirects (via an HTTP
redirect) the browser back to the RP with an authentication redirect) the browser back to the RP with an authentication
assertion (stating that the IdP vouches that the subject has assertion (stating that the IdP vouches that the subject has
successfully authenticated), optionally along with some successfully authenticated), optionally along with some
additional attributes. additional attributes.
5. The Relying Party now has sufficient identity information to 5. The Relying Party now has sufficient identity information to
approve access to the resource or not, and acts accordingly. The approve access to the resource or not, and acts accordingly. The
authentication is concluded. authentication is concluded.
skipping to change at page 6, line 51 skipping to change at page 6, line 51
handler. The steps are as follows: handler. The steps are as follows:
1. The SASL server (Relying Party) advertises support for the SASL 1. The SASL server (Relying Party) advertises support for the SASL
SAML20 mechanism to the client SAML20 mechanism to the client
2. The client initiates a SASL authentication with SAML20 and sends 2. The client initiates a SASL authentication with SAML20 and sends
a domain name that allows the SASL server to determine the a domain name that allows the SASL server to determine the
appropriate IdP appropriate IdP
3. The SASL server transmits an authentication request encoded using 3. The SASL server transmits an authentication request encoded using
a Universal Resource Identifier (URI) as described in RFC 3986 a Uniform Resource Identifier (URI) as described in RFC 3986
[RFC3986] and an HTTP redirect to the IdP corresponding to the [RFC3986] and an HTTP redirect to the IdP corresponding to the
domain domain
4. The SASL client now sends an empty response, as authentication 4. The SASL client now sends an empty response, as authentication
continues via the normal SAML flow. continues via the normal SAML flow and the SASL server will
receive the answer to the challenge out-of-band from the SASL
conversation.
5. At this point the SASL client MUST construct a URL containing the 5. At this point the SASL client MUST construct a URL containing the
content received in the previous message from the SASL server. content received in the previous message from the SASL server.
This URL is transmitted to the IdP either by the SASL client This URL is transmitted to the IdP either by the SASL client
application or an appropriate handler, such as a browser. application or an appropriate handler, such as a browser.
6. Next the client authenticates to the IdP. The manner in which 6. Next the user authenticates to the IdP. The manner in which the
the end user is authenticated to the IdP and any policies end user is authenticated to the IdP and any policies surrounding
surrounding such authentication is out of scope for SAML and such authentication is out of scope for SAML and hence for this
hence for this draft. This step happens out of band from SASL. draft. This step happens out of band from SASL.
7. The IdP will convey information about the success or failure of 7. The IdP will convey information about the success or failure of
the authentication back to the the SASL server (Relying Party) in the authentication back to the the SASL server (Relying Party) in
the form of an Authentication Statement or failure, using a the form of an Authentication Statement or failure, using a
indirect response via the client browser or the handler (and with indirect response via the client browser or the handler (and with
an external browser client control should be passed back to the an external browser client control should be passed back to the
SASL client). This step happens out of band from SASL. SASL client). This step happens out of band from SASL.
8. The SASL Server sends an appropriate SASL response to the client, 8. The SASL Server sends an appropriate SASL response to the client,
along with an optional list of attributes along with an optional list of attributes
skipping to change at page 8, line 15 skipping to change at page 8, line 15
SASL Serv. Client IdP SASL Serv. Client IdP
|>-----(1)----->| | Advertisement |>-----(1)----->| | Advertisement
| | | | | |
|<-----(2)-----<| | Initiation |<-----(2)-----<| | Initiation
| | | | | |
|>-----(3)----->| | Authentication Request |>-----(3)----->| | Authentication Request
| | | | | |
|<-----(4)-----<| | Empty Response |<-----(4)-----<| | Empty Response
| | | | | |
| |< - -(5,6) - ->| Client<>IDP | |< - -(5,6) - ->| Client<>IDP
| | | Authentication (5,6) | | | Authentication
| | | | | |
|<- - - - - - - - - - -(7)- - -| Authentication Statement |<- - - - - - - - - - -(7)- - -| Authentication Statement
| | | | | |
|>-----(8)----->| | SASL completion with |>-----(8)----->| | SASL completion with
| | | status | | | status
| | | | | |
----- = SASL ----- = SASL
- - - = HTTP or HTTPs (external to SASL) - - - = HTTP or HTTPS (external to SASL)
Figure 2: Authentication flow Figure 2: Authentication flow
3. SAML SASL Mechanism Specification 3. SAML SASL Mechanism Specification
This section specifies the details of the SAML SASL mechanism. See This section specifies the details of the SAML SASL mechanism. See
section 5 of [RFC4422] for what needs to be described here. section 5 of [RFC4422] for what is described here.
The name of this mechanism is "SAML20". The mechanism is capable of The name of this mechanism is "SAML20". The mechanism is capable of
transferring an authorization identity (via the "gs2-header"). The transferring an authorization identity (via the "gs2-header"). The
mechanism does not offer a security layer. mechanism does not offer a security layer.
The mechanism is client-first. The first mechanism message from the The mechanism is client-first. The first mechanism message from the
client to the server is the "initial-response". As described in client to the server is the "initial-response". As described in
[RFC4422], if the application protocol does not support sending a [RFC4422], if the application protocol does not support sending a
client-response together with the authentication request, the server client-response together with the authentication request, the server
will send an empty server-challenge to let the client begin. will send an empty server-challenge to let the client begin. The
second mechanism message is from the server to the client, containing
The second mechanism message is from the server to the client, the SAML "authentication-request". The third mechanism message is
containing the SAML "authentication-request". from client to the server, and is the fixed message consisting of "="
(i.e., an empty response). The fourth mechanism message is from the
The third mechanism message is from client to the server, and is the server to the client, indicating the SASL mechanism outcome.
fixed message consisting of "=".
The fourth mechanism message is from the server to the client,
indicating the SASL mechanism outcome.
3.1. Initial Response 3.1. Initial Response
A client initiates a "SAML20" authentication with SASL by sending the A client initiates a "SAML20" authentication with SASL by sending the
GS2 header followed by the authentication identifier (message 2 in GS2 header followed by the authentication identifier (message 2 in
Figure 2) and is defined as follows: Figure 2) and is defined as follows:
initial-response = gs2-header Idp-Identifier initial-response = gs2-header Idp-Identifier
IdP-Identifier = domain ; domain name with corresponding IdP IdP-Identifier = domain ; domain name with corresponding IdP
The "gs2-header" carries the optional authorization identity as The "gs2-header" is used as follows:
specified in [RFC5801], and it is used as follows:
- The "gs2-nonstd-flag" MUST NOT be present. - The "gs2-nonstd-flag" MUST NOT be present.
- See Section 5 for the channel binding "gs2-cb-flag" field. - The "gs2-cb-flag" MUST be set to "n" because channel binding
[RFC5056] data cannot be integrity protected by the SAML
negotiation. (Note: In theory channel binding data could be
inserted in the SAML flow by the client and verified by the
server, but that is currently not supported in SAML.)
- The "gs2-authzid" carries the optional authorization identity. - The "gs2-authzid" carries the optional authorization identity as
specified in [RFC5801] (not to be confused with the IdP-
Identifier).
Domain name is specified in [RFC1035]. Domain name is specified in [RFC1035]. A domain name is either a
"traditional domain name" as described in [RFC1035] or an
"internationalized domain name" as described in [RFC5890]. Clients
and servers MUST treat the IdP-Identifier as a domain name slot
[RFC5890]. They also SHOULD support internationalized domain names
(IDNs) in the Idp-Identifier field; if they do so, all of the domain
name's labels MUST be A-labels or NR-LDH labels [RFC5890], if
necessary internationalized labels MUST be converted from U-labels to
A-labels by using the Punycode encoding [RFC3492] for A-labels prior
to sending them to the SASL-server as described in the protocol
specification for Internationalized Domain Names in Applications
[RFC5891].
3.2. Authentication Request 3.2. Authentication Request
The SASL Server transmits to the SASL client a URI that redirects the The SASL Server transmits to the SASL client a URI that redirects the
SAML client to the IdP (corresponding to the domain the user SAML client to the IdP (corresponding to the domain that the user
provided), with a SAML authentication request as one of the provided), with a SAML authentication request as one of the
parameters (message 3 in Figure 2) in the following way: parameters (message 3 in Figure 2) in the following way:
authentication-request = URI authentication-request = URI
URI is specified in [RFC3986] and is encoded according to Section 3.4 URI is specified in [RFC3986] and is encoded according to Section 3.4
(HTTP Redirect) of the SAML bindings 2.0 specification (HTTP Redirect) of the SAML bindings 2.0 specification
[OASIS.saml-bindings-2.0-os]. The SAML authentication request is [OASIS.saml-bindings-2.0-os]. The SAML authentication request is
encoded according to Section 3.4 (Authentication Request) of the SAML encoded according to Section 3.4 (Authentication Request) of the SAML
core 2.0 specification [OASIS.saml-core-2.0-os]. core 2.0 specification [OASIS.saml-core-2.0-os]. Should the client
support Internationalized Resource Identifiers (IRIs) [RFC3987] it
MUST first convert the IRI to a URI before transmitting it to the
server [RFC5890].
Note: The SASL server may have a static mapping of domain to Note: The SASL server may have a static mapping of domain to
corresponding IdP or alternatively a DNS-lookup mechanism could be corresponding IdP or alternatively a DNS-lookup mechanism could be
envisioned, but that is out-of-scope for this document. envisioned, but that is out-of-scope for this document.
Note: While the SASL client MAY sanity check the URI it received, Note: While the SASL client MAY sanity check the URI it received,
ultimately it is the SAML IdP that will be validated by the SAML ultimately it is the SAML IdP that will be validated by the SAML
client which is out-of-scope for this document. client which is out-of-scope for this document.
The client then sends the authentication request via an HTTP GET The client then sends the authentication request via an HTTP GET
skipping to change at page 10, line 46 skipping to change at page 11, line 12
confirmation or rejection of the authentiation of the RP (out-of- confirmation or rejection of the authentiation of the RP (out-of-
scope for this document). scope for this document).
After all authentication has been completed by the IdP, the IdP will After all authentication has been completed by the IdP, the IdP will
send a redirect message to the client in the form of a URI send a redirect message to the client in the form of a URI
corresponding to the Relying Party as specified in the authentication corresponding to the Relying Party as specified in the authentication
request ("AssertionConsumerServiceURL") and with the SAML response as request ("AssertionConsumerServiceURL") and with the SAML response as
one of the parameters (message 7 in Figure 2). one of the parameters (message 7 in Figure 2).
Please note: this means that the SASL server needs to implement a Please note: this means that the SASL server needs to implement a
SAML Relying Party. Also, the SASL server needs to correlate the TCP SAML Relying Party. Also, the SASL server needs to correlate the
session from the SASL client with the SAML authentication by session it has with the SASL client with the appropriate SAML
comparing the ID of the SAML request with that in the response. authentication result. It can do so by comparing the ID of the SAML
authentication request it has issued with the one it receives in the
SAML authentication statement.
3.3. Outcome and parameters 3.3. Outcome and parameters
The SASL server now validates the response it received from the The SASL server (in its capacity as a SAML Relying Party) now
client via HTTP or HTTPS, as specified in the SAML specification validates the SAML authentication response it received from the SAML
client via HTTP or HTTPS.
The response by the SASL server constitutes a SASL mechanism outcome, The outcome of that validation by the SASL server constitutes a SASL
and MUST be used to set state in the server accordingly, and it MUST mechanism outcome, and therefore (as stated in [RFC4422]) SHALL be
be used by the server to report that state to the SASL client as used to set state in the server accordingly, and it SHALL be used by
described in [RFC4422] Section 3.6 (message 8 in Figure 2). the server to report that state to the SASL client as described in
[RFC4422] Section 3.6 (message 8 in Figure 2).
4. SAML GSS-API Mechanism Specification 4. SAML GSS-API Mechanism Specification
This section, its sub-sections and appropriate references of it not This section and its sub-sections are not required for SASL
referenced elsewhere in this document, are not required for SASL
implementors, but this section MUST be observed to implement the GSS- implementors, but this section MUST be observed to implement the GSS-
API mechanism discussed below. API mechanism discussed below.
The SAML SASL mechanism is actually also a GSS-API mechanism. The This section specify a GSS-API mechanism that when used via the GS2
SAML user takes the role of the GSS-API Initiator and the SAML bridge to SASL behaves like the SASL mechanism defined in this
Relying Party takes the role of the GSS-API Acceptor. The SAML document. Thus, it can loosely be said that the SAML SASL mechanism
Identity Provider does not have a role in GSS-API, and is considered is also a GSS-API mechanism. The SAML user takes the role of the
an internal matter for the SAML mechanism. The messages are the GSS-API Initiator and the SAML Relying Party takes the role of the
same, but GSS-API Acceptor. The SAML Identity Provider does not have a role in
GSS-API, and is considered an internal matter for the SAML mechanism.
The messages are the same, but
a) the GS2 header on the client's first message and channel binding a) the GS2 header on the client's first message and channel binding
data is excluded when SAML is used as a GSS-API mechanism, and data is excluded when SAML is used as a GSS-API mechanism, and
b) the RFC2743 section 3.1 initial context token header is prefixed b) the RFC2743 section 3.1 initial context token header is prefixed
to the client's first authentication message (context token). to the client's first authentication message (context token).
The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see The GSS-API mechanism OID for SAML is OID-TBD (IANA to assign: see
IANA considerations). IANA considerations).
skipping to change at page 12, line 40 skipping to change at page 12, line 41
delegation, therefore SAML security contexts MUST have the delegation, therefore SAML security contexts MUST have the
deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE. deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE.
The mutual authentication property of this mechanism relies on The mutual authentication property of this mechanism relies on
successfully comparing the TLS server identity with the negotiated successfully comparing the TLS server identity with the negotiated
target name. Since the TLS channel is managed by the application target name. Since the TLS channel is managed by the application
outside of the GSS-API mechanism, the mechanism itself is unable to outside of the GSS-API mechanism, the mechanism itself is unable to
confirm the name while the application is able to perform this confirm the name while the application is able to perform this
comparison for the mechanism. For this reason, applications MUST comparison for the mechanism. For this reason, applications MUST
match the TLS server identity with the target name, as discussed in match the TLS server identity with the target name, as discussed in
[RFC6125]. [RFC6125]. More precisely, to pass identity validation the client
uses the securely negotiated targ_name as the reference identifier
and match it to the DNS-ID of the server certificate, and MUST reject
the connection if there is a mismatch. For compatibility with
deployed certificate hierarchies, the client MAY also perform a
comparison with the CN-ID when there is no DNS-ID present. Wildcard
matching is permitted. The targ_name reference identifier is a
"traditional domain names" thus the comparison is made using case-
insensitive ASCII comparison.
The SAML mechanism does not support per-message tokens or The SAML mechanism does not support per-message tokens or
GSS_Pseudo_random. GSS_Pseudo_random.
4.1. GSS-API Principal Name Types for SAML 4.1. GSS-API Principal Name Types for SAML
SAML supports standard generic name syntaxes for acceptors such as SAML supports standard generic name syntaxes for acceptors such as
GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). SAML GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). SAML
supports only a single name type for initiators: GSS_C_NT_USER_NAME. supports only a single name type for initiators: GSS_C_NT_USER_NAME.
GSS_C_NT_USER_NAME is the default name type for SAML. The query, GSS_C_NT_USER_NAME is the default name type for SAML. The query,
display, and exported name syntaxes for SAML principal names are all display, and exported name syntaxes for SAML principal names are all
the same. There are no SAML-specific name syntaxes -- applications the same. There are no SAML-specific name syntaxes -- applications
should use generic GSS-API name types such as GSS_C_NT_USER_NAME and should use generic GSS-API name types such as GSS_C_NT_USER_NAME and
GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported
name token does, of course, conform to [RFC2743], Section 3.2. name token does, of course, conforms to [RFC2743], Section 3.2.
5. Channel Binding
The "gs2-cb-flag" MUST be set to "n" because channel binding data
cannot be integrity protected by the SAML negotiation.
Note: In theory channel binding data could be inserted in the SAML
flow by the client and verified by the server, but that is currently
not supported in SAML.
6. Examples 5. Examples
6.1. XMPP 5.1. XMPP
Suppose the user has an identity at the SAML IdP saml.example.org and Suppose the user has an identity at the SAML IdP saml.example.org and
a Jabber Identifier (JID) "somenode@example.com", and wishes to a Jabber Identifier (JID) "somenode@example.com", and wishes to
authenticate his XMPP connection to xmpp.example.com. The authenticate his XMPP connection to xmpp.example.com. The
authentication on the wire would then look something like the authentication on the wire would then look something like the
following: following:
Step 1: Client initiates stream to server: Step 1: Client initiates stream to server:
<stream:stream xmlns='jabber:client' <stream:stream xmlns='jabber:client'
skipping to change at page 15, line 38 skipping to change at page 14, line 38
<stream:features> <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism> <mechanism>DIGEST-MD5</mechanism>
<mechanism>PLAIN</mechanism> <mechanism>PLAIN</mechanism>
<mechanism>SAML20</mechanism> <mechanism>SAML20</mechanism>
</mechanisms> </mechanisms>
</stream:features> </stream:features>
Step 4: Client selects an authentication mechanism and provides the Step 4: Client selects an authentication mechanism and provides the
initial client response containing the BASE64 [RFC4648] encoded gs2- initial client response containing the according to the definition in
header and domain: Section 4 ofBASE64 [RFC4648] encoded gs2-header and domain:
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'> <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'>
biwsZXhhbXBsZS5vcmc</auth> biwsZXhhbXBsZS5vcmc</auth>
The decoded string is: n,,example.org The decoded string is: n,,example.org
Step 5: Server sends a BASE64 encoded challenge to client in the form Step 5: Server sends a BASE64 encoded challenge to client in the form
of an HTTP Redirect to the SAML IdP corresponding to example.org of an HTTP Redirect to the SAML IdP corresponding to example.org
(https://saml.example.org) with the SAML Authentication Request as (https://saml.example.org) with the SAML Authentication Request as
specified in the redirection url: specified in the redirection url:
skipping to change at page 18, line 36 skipping to change at page 17, line 36
</samlp:AuthnRequest> </samlp:AuthnRequest>
Note: the server can use the request ID Note: the server can use the request ID
(_bec424fa5103428909a30ff1e31168327f79474984) to correlate the SASL (_bec424fa5103428909a30ff1e31168327f79474984) to correlate the SASL
session with the SAML authentication. session with the SAML authentication.
Step 5 (alternative): Server returns error to client if no SAML Step 5 (alternative): Server returns error to client if no SAML
Authentication Request can be constructed: Authentication Request can be constructed:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<incorrect-encoding/> <temporary-auth-failure/>
</failure> </failure>
</stream:stream> </stream:stream>
Step 6: Client sends the empty response to the challenge encoded as a Step 6: Client sends the empty response to the challenge encoded as a
single =: single =:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
= =
</response> </response>
[ The client now sends the URL to a browser instance for processing. The following steps between brackets are out of scope for this
document but included to better illustrate the entire flow.
[The client now sends the URL to a browser instance for processing.
The browser engages in a normal SAML authentication flow (external to The browser engages in a normal SAML authentication flow (external to
SASL), like redirection to the Identity Provider SASL), like redirection to the Identity Provider
(https://saml.example.org), the user logs into (https://saml.example.org), the user logs into
https://saml.example.org, and agrees to authenticate to https://saml.example.org, and agrees to authenticate to
xmpp.example.com. A redirect is passed back to the client browser xmpp.example.com. A redirect is passed back to the client browser
who sends the AuthN response to the server, containing the subject- who sends the AuthN response to the server, containing the subject-
identifier as an attribute. If the AuthN response doesn't contain identifier as an attribute. If the AuthN response doesn't contain
the JID, the server maps the subject-identifier received from the IdP the JID, the server maps the subject-identifier received from the IdP
to a JID] to a JID]
Step 7: Server informs client of successful authentication: Step 7: Server informs client of successful authentication:
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/> <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 7 (alt): Server informs client of failed authentication: Step 7 (alt): Server informs client of failed authentication:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<temporary-auth-failure/> <not-authorized/>
</failure> </failure>
</stream:stream> </stream:stream>
Step 8: Client initiates a new stream to server:
<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com' version='1.0'>
Step 9: Server responds by sending a stream header to client along
with any additional features (or an empty features element):
<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_345' from='example.com' version='1.0'>
<stream:features>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
<session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
</stream:features>
Step 10: Client binds a resource:
<iq type='set' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>someresource</resource>
</bind>
</iq>
Step 11: Server informs client of successful resource binding:
<iq type='result' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>somenode@example.com/someresource</jid>
</bind>
</iq>
Please note: line breaks were added to the base64 for clarity. Please note: line breaks were added to the base64 for clarity.
6.2. IMAP 5.2. IMAP
The following describes an IMAP exchange. Lines beginning with 'S:' The following describes an IMAP exchange. Lines beginning with 'S:'
indicate data sent by the server, and lines starting with 'C:' indicate data sent by the server, and lines starting with 'C:'
indicate data sent by the client. Long lines are wrapped for indicate data sent by the client. Long lines are wrapped for
readability. readability.
S: * OK IMAP4rev1 S: * OK IMAP4rev1
C: . CAPABILITY C: . CAPABILITY
S: * CAPABILITY IMAP4rev1 STARTTLS S: * CAPABILITY IMAP4rev1 STARTTLS
S: . OK CAPABILITY Completed S: . OK CAPABILITY Completed
C: . STARTTLS C: . STARTTLS
S: . OK Begin TLS negotiation now S: . OK Begin TLS negotiation now
C: . CAPABILITY C: . CAPABILITY
S: * CAPABILITY IMAP4rev1 AUTH=SAML20 S: * CAPABILITY IMAP4rev1 AUTH=SAML20
S: . OK CAPABILITY Completed S: . OK CAPABILITY Completed
C: . AUTHENTICATE SAML20 C: . AUTHENTICATE SAML20
S: + S: +
C: biwsZXhhbXBsZS5vcmc C: biwsZXhhbXBsZS5vcmc
S: + aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx S: + aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1M
dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz UmVxdWVzdD1QSE5oYld4d09rRg0KMWRHaHVVbVZ4ZFdWemRDQjRiV3h1Y3pwe
Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli llXMXNjRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJqT2xOQg0KVFV3Nk1pNH
M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U dPbkJ5YjNSdlkyOXNJZzBLSUNBZ0lFbEVQU0pmWW1Wak5ESTBabUUxTVRBek5
QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5 ESTRPVEE1WQ0KVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQlda
dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5 WEp6YVc5dVBTSXlMakFpRFFvZ0lDQWdTWA0KTnpkV1ZKYm5OMFlXNTBQU0l5T
TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE URBM0xURXlMVEV3VkRFeE9qTTVPak0wV2lJZ1JtOXlZMlZCZFhSb2JqMA0KaV
UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy ptRnNjMlVpRFFvZ0lDQWdTWE5RWVhOemFYWmxQU0ptWVd4elpTSU5DaUFnSUN
TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx CUWNtOTBiMk52YkVKcA0KYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6
TU9qSXVNRHBpYVc1a2FXNW5jenBJVkZSUUxWQlBVMVFpRFFvZ0lDQWdRWE56 cDBZenBUUVUxTU9qSXVNRHBpYVc1a2FXNW5jenBJVg0KRlJRTFZCUFUxUWlEU
WlhKMGFXOXVRMjl1YzNWdFpYSlRaWEoyYVdObFZWSk1QUTBLSUNBZ0lDQWdJ W9nSUNBZ1FYTnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05sVlZKTVBRME
Q0FpYUhSMGNITTZMeTk0YlhCd0xtVjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFY tJQw0KQWdJQ0FnSUNBaWFIUjBjSE02THk5dFlXbHNMbVY0WVcxd2JHVXVZMjl
TnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05sSWo0TkNpQThjMkZ0YkRw 0TDFOQlRVd3ZRWE56WlhKMGFXOQ0KdVEyOXVjM1Z0WlhKVFpYSjJhV05sSWo0
SmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6 TkNpQThjMkZ0YkRwSmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaQ0KZFhKdU9tO
T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSStEUW9nSUNBZ0lHaDBk WhjMmx6T201aGJXVnpPblJqT2xOQlRVdzZNaTR3T21GemMyVnlkR2x2YmlJK0
SEJ6T2k4dmVHMXdjQzVsZUdGdGNHeGxMbU52YlEwS0lEd3ZjMkZ0YkRwSmMz RRb2dJQ0FnSQ0KR2gwZEhCek9pOHZlRzF3Y0M1bGVHRnRjR3hsTG1OdmJRMEt
TjFaWEkrRFFvZ1BITmhiV3h3T2s1aGJXVkpSRkJ2YkdsamVTQjRiV3h1Y3pw JRHd2YzJGdGJEcEpjM04xWlhJK0RRb2dQSA0KTmhiV3h3T2s1aGJXVkpSRkJ2
ellXMXNjRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJqT2xOQlRVdzZNaTR3 YkdsamVTQjRiV3h1Y3pwellXMXNjRDBpZFhKdU9tOWhjMmx6T201aGJXVg0Ke
T25CeWIzUnZZMjlzSWcwS0lDQWdJQ0JHYjNKdFlYUTlJblZ5YmpwdllYTnBj k9uUmpPbE5CVFV3Nk1pNHdPbkJ5YjNSdlkyOXNJZzBLSUNBZ0lDQkdiM0p0WV
enB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB1WVcxbGFXUXRabTl5YldGME9u hROUluVnlianB2WVhOcA0KY3pwdVlXMWxjenAwWXpwVFFVMU1Pakl1TURwdVl
Qmxjbk5wYzNSbGJuUWlEUW9nSUNBZ0lGTlFUbUZ0WlZGMVlXeHBabWxsY2ow XMWxhV1F0Wm05eWJXRjBPbkJsY25OcGMzUmxiblFpRA0KUW9nSUNBZ0lGTlFU
aWVHMXdjQzVsZUdGdGNHeGxMbU52YlNJZ1FXeHNiM2REY21WaGRHVTlJblJ5 bUZ0WlZGMVlXeHBabWxsY2owaWVHMXdjQzVsZUdGdGNHeGxMbU52YlNJZ1FXe
ZFdVaUlDOCtEUW9nUEhOaGJXeHdPbEpsY1hWbGMzUmxaRUYxZEdodVEyOXVk HNiMw0KZERjbVZoZEdVOUluUnlkV1VpSUM4K0RRb2dQSE5oYld4d09sSmxjWF
R1Y0ZEEwS0lDQWdJQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9t ZsYzNSbFpFRjFkR2h1UTI5dWRHVg0KNGRBMEtJQ0FnSUNCNGJXeHVjenB6WVc
NWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQU5DaUFnSUNB xc2NEMGlkWEp1T205aGMybHpPbTVoYldWek9uUmpPbE5CVFV3Ng0KTWk0d09u
Z0lDQWdRMjl0Y0dGeWFYTnZiajBpWlhoaFkzUWlQZzBLSUNBOGMyRnRiRHBC QnliM1J2WTI5c0lpQU5DaUFnSUNBZ0lDQWdRMjl0Y0dGeWFYTnZiajBpWlhoa
ZFhSb2JrTnZiblJsZUhSRGJHRnpjMUpsWmcwS0lDQWdJQ0FnZUcxc2JuTTZj FkzUWlQZzBLSQ0KQ0E4YzJGdGJEcEJkWFJvYmtOdmJuUmxlSFJEYkdGemMxSm
MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t xaZzBLSUNBZ0lDQWdlRzFzYm5NNmMyRnRiRA0KMGlkWEp1T205aGMybHpPbTV
RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN oYldWek9uUmpPbE5CVFV3Nk1pNHdPbUZ6YzJWeWRHbHZiaUkrRFFvZ0lDQQ0K
NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5 Z0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZV002W
YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi TJ4aGMzTmxjenBRWVhOeg0KZDI5eVpGQnliM1JsWTNSbFpGUnlZVzV6Y0c5eW
MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX RBMEtJQ0E4TDNOaGJXdzZRWFYwYUc1RGIyNTBaWGgwUQ0KMnhoYzNOU1pXWSt
UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW EUW9nUEM5ellXMXNjRHBTWlhGMVpYTjBaV1JCZFhSb2JrTnZiblJsZUhRK0lB
bGMzUSs= MEtQQw0KOXpZVzFzY0RwQmRYUm9ibEpsY1hWbGMzUSs=
C: C:
S: . OK Success (tls protection) S: . OK Success (tls protection)
The decoded challenge is: The decoded challenge is:
https://saml.example.org/SAML/Browser?SAMLRequest=PHNhbWxwOk https://saml.example.org/SAML/Browser?SAMLRequest=PHNhbWxwOkF
F1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOl 1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNB
NBTUw6Mi4wOnByb3RvY29sIg0KICAgIElEPSJfYmVjNDI0ZmE1MTAzNDI4OT TUw6Mi4wOnByb3RvY29sIg0KICAgIElEPSJfYmVjNDI0ZmE1MTAzNDI4OTA5Y
A5YTMwZmYxZTMxMTY4MzI3Zjc5NDc0OTg0IiBWZXJzaW9uPSIyLjAiDQogIC TMwZmYxZTMxMTY4MzI3Zjc5NDc0OTg0IiBWZXJzaW9uPSIyLjAiDQogICAgSX
AgSXNzdWVJbnN0YW50PSIyMDA3LTEyLTEwVDExOjM5OjM0WiIgRm9yY2VBdX NzdWVJbnN0YW50PSIyMDA3LTEyLTEwVDExOjM5OjM0WiIgRm9yY2VBdXRobj0
Robj0iZmFsc2UiDQogICAgSXNQYXNzaXZlPSJmYWxzZSINCiAgICBQcm90b2 iZmFsc2UiDQogICAgSXNQYXNzaXZlPSJmYWxzZSINCiAgICBQcm90b2NvbEJp
NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW bmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIV
5nczpIVFRQLVBPU1QiDQogICAgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVV FRQLVBPU1QiDQogICAgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPQ0KIC
JMPQ0KICAgICAgICAiaHR0cHM6Ly94bXBwLmV4YW1wbGUuY29tL1NBTUwvQX AgICAgICAiaHR0cHM6Ly9tYWlsLmV4YW1wbGUuY29tL1NBTUwvQXNzZXJ0aW9
NzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4NCiA8c2FtbDpJc3N1ZXIgeG1sbn uQ29uc3VtZXJTZXJ2aWNlIj4NCiA8c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0i
M6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbi dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+DQogICAgI
I+DQogICAgIGh0dHBzOi8veG1wcC5leGFtcGxlLmNvbQ0KIDwvc2FtbDpJc3 Gh0dHBzOi8veG1wcC5leGFtcGxlLmNvbQ0KIDwvc2FtbDpJc3N1ZXI+DQogPH
N1ZXI+DQogPHNhbWxwOk5hbWVJRFBvbGljeSB4bWxuczpzYW1scD0idXJuOm NhbWxwOk5hbWVJRFBvbGljeSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWV
9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIg0KICAgICBGb3JtYX zOnRjOlNBTUw6Mi4wOnByb3RvY29sIg0KICAgICBGb3JtYXQ9InVybjpvYXNp
Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0On czpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiD
BlcnNpc3RlbnQiDQogICAgIFNQTmFtZVF1YWxpZmllcj0ieG1wcC5leGFtcG QogICAgIFNQTmFtZVF1YWxpZmllcj0ieG1wcC5leGFtcGxlLmNvbSIgQWxsb3
xlLmNvbSIgQWxsb3dDcmVhdGU9InRydWUiIC8+DQogPHNhbWxwOlJlcXVlc3 dDcmVhdGU9InRydWUiIC8+DQogPHNhbWxwOlJlcXVlc3RlZEF1dGhuQ29udGV
RlZEF1dGhuQ29udGV4dA0KICAgICB4bWxuczpzYW1scD0idXJuOm9hc2lzOm 4dA0KICAgICB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6
5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiANCiAgICAgICAgQ29tcGFyaX Mi4wOnByb3RvY29sIiANCiAgICAgICAgQ29tcGFyaXNvbj0iZXhhY3QiPg0KI
Nvbj0iZXhhY3QiPg0KICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZg0KIC CA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZg0KICAgICAgeG1sbnM6c2FtbD
AgICAgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm 0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+DQogICA
Fzc2VydGlvbiI+DQogICAgICAgICAgIHVybjpvYXNpczpuYW1lczp0YzpTQU gICB1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNz
1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0DQ d29yZFByb3RlY3RlZFRyYW5zcG9ydA0KICA8L3NhbWw6QXV0aG5Db250ZXh0Q
ogIDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiA8L3NhbWxwOlJlcX 2xhc3NSZWY+DQogPC9zYW1scDpSZXF1ZXN0ZWRBdXRobkNvbnRleHQ+IA0KPC
Vlc3RlZEF1dGhuQ29udGV4dD4gDQo8L3NhbWxwOkF1dGhuUmVxdWVzdD4= 9zYW1scDpBdXRoblJlcXVlc3Q+
Where the decoded SAMLRequest looks like: Where the decoded SAMLRequest looks like:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0" ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0"
IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false" IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false"
IsPassive="false" IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL= AssertionConsumerServiceURL=
"https://xmpp.example.com/SAML/AssertionConsumerService"> "https://mail.example.com/SAML/AssertionConsumerService">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xmpp.example.com https://xmpp.example.com
</saml:Issuer> </saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="xmpp.example.com" AllowCreate="true" /> SPNameQualifier="xmpp.example.com" AllowCreate="true" />
<samlp:RequestedAuthnContext <samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"> Comparison="exact">
<saml:AuthnContextClassRef <saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef> </saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext> </samlp:RequestedAuthnContext>
</samlp:AuthnRequest> </samlp:AuthnRequest>
7. Security Considerations 6. Security Considerations
This section addresses only security considerations associated with This section addresses only security considerations associated with
the use of SAML with SASL applications. For considerations relating the use of SAML with SASL applications. For considerations relating
to SAML in general, the reader is referred to the SAML specification to SAML in general, the reader is referred to the SAML specification
and to other literature. Similarly, for general SASL Security and to other literature. Similarly, for general SASL Security
Considerations, the reader is referred to that specification. Considerations, the reader is referred to that specification.
7.1. Man in the middle and Tunneling Attacks 6.1. Man in the middle and Tunneling Attacks
This mechanism is vulnerable to man-in-the-middle and tunneling This mechanism is vulnerable to man-in-the-middle and tunneling
attacks unless a client always verifies the server identity before attacks unless a client always verifies the server identity before
proceeding with authentication (see [RFC6125]). Typically TLS is proceeding with authentication (see [RFC6125]). Typically TLS is
used to provide a secure channel with server authentication. used to provide a secure channel with server authentication.
7.2. Binding SAML subject identifiers to Authorization Identities 6.2. Binding SAML subject identifiers to Authorization Identities
As specified in [RFC4422], the server is responsible for binding As specified in [RFC4422], the server is responsible for binding
credentials to a specific authorization identity. It is therefore credentials to a specific authorization identity. It is therefore
necessary that only specific trusted IdPs be allowed. This is necessary that only specific trusted IdPs be allowed. This is
typical part of SAML trust establishment between Relying Parties and typical part of SAML trust establishment between Relying Parties and
IdP. IdP.
7.3. User Privacy 6.3. User Privacy
The IdP is aware of each Relying Party that a user logs into. There The IdP is aware of each Relying Party that a user logs into. There
is nothing in the protocol to hide this information from the IdP. It is nothing in the protocol to hide this information from the IdP. It
is not a requirement to track the visits, but there is nothing that is not a requirement to track the visits, but there is nothing that
prohibits the collection of information. SASL server implementers prohibits the collection of information. SASL server implementers
should be aware that SAML IdPs will be able to track - to some extent should be aware that SAML IdPs will be able to track - to some extent
- user access to their services. - user access to their services.
7.4. Collusion between RPs 6.4. Collusion between RPs
It is possible for Relying Parties to link data that they have It is possible for Relying Parties to link data that they have
collected on the users. By using the same identifier to log into collected on the users. By using the same identifier to log into
every Relying Party, collusion between Relying Parties is possible. every Relying Party, collusion between Relying Parties is possible.
In SAML, targeted identity was introduced. Targeted identity allows In SAML, targeted identity was introduced. Targeted identity allows
the IdP to transform the identifier the user typed in to an opaque the IdP to transform the identifier the user typed in to a Relying
identifier. This way the Relying Party would never see the actual Party specific opaque identifier. This way the Relying Party would
user identifier, but a randomly generated identifier. never see the actual user identifier, but a randomly generated
identifier.
8. IANA Considerations 6.5. GSS-API specific security considerations
8.1. IANA mech-profile Security issues inherent in GSS-API (RFC 2743) and GS2 (RFC 5801)
apply to the SAML GSS-API mechanism defined in this document.
Further, and as discussed in section 4, proper TLS server identity
verification is critical to the security of the mechanism.
7. IANA Considerations
7.1. IANA mech-profile
The IANA is requested to register the following SASL profile: The IANA is requested to register the following SASL profile:
SASL mechanism profile: SAML20 SASL mechanism profile: SAML20
Security Considerations: See this document Security Considerations: See this document
Published Specification: See this document Published Specification: See this document
For further information: Contact the authors of this document. For further information: Contact the authors of this document.
Owner/Change controller: the IETF Owner/Change controller: the IETF
Intended usage: COMMON
Note: None Note: None
8.2. IANA OID 7.2. IANA OID
The IANA is further requested to assign an OID for this GSS mechanism The IANA is further requested to assign a new entry for this GSS
in the SMI numbers registry, with the prefix of mechanism in the sub-registry for SMI Security for Mechanism Codes,
iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to whose prefix is iso.org.dod.internet.security.mechanisms
reference this specification in the registry. (1.3.6.1.5.5) and to reference this specification in the registry.
9. References 8. References
9.1. Normative References 8.1. Normative References
[OASIS.saml-bindings-2.0-os] [OASIS.saml-bindings-2.0-os]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Maler, "Bindings for the OASIS Security Assertion Markup Maler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS Language (SAML) V2.0", OASIS
Standard saml-bindings-2.0-os, March 2005. Standard saml-bindings-2.0-os, March 2005.
[OASIS.saml-core-2.0-os] [OASIS.saml-core-2.0-os]
Cantor, S., Kemp, J., Philpott, R., and E. Maler, Cantor, S., Kemp, J., Philpott, R., and E. Maler,
"Assertions and Protocol for the OASIS Security Assertion "Assertions and Protocol for the OASIS Security Assertion
skipping to change at page 26, line 42 skipping to change at page 25, line 42
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in Applications
(IDNA)", RFC 3492, March 2003.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
[RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource
Identifiers (IRIs)", RFC 3987, January 2005.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms Service Application Program Interface (GSS-API) Mechanisms
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010. GS2 Mechanism Family", RFC 5801, July 2010.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, August 2010.
[RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891, August 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
[W3C.REC-html401-19991224] [W3C.REC-html401-19991224]
Raggett, D., Jacobs, I., and A. Hors, "HTML 4.01 Hors, A., Raggett, D., and I. Jacobs, "HTML 4.01
Specification", World Wide Web Consortium Specification", World Wide Web Consortium
Recommendation REC-html401-19991224, December 1999, Recommendation REC-html401-19991224, December 1999,
<http://www.w3.org/TR/1999/REC-html401-19991224>. <http://www.w3.org/TR/1999/REC-html401-19991224>.
9.2. Informative References 8.2. Informative References
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996. STD 53, RFC 1939, May 1996.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003. 4rev1", RFC 3501, March 2003.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
skipping to change at page 29, line 9 skipping to change at page 29, line 9
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank Howlett, Leif Johansson, Thomas Lenggenhager, Diego Lopez, Hank
Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their Mauldin, RL 'Bob' Morgan, Stefan Plug and Hannes Tschofenig for their
review and contributions. review and contributions.
Appendix B. Changes Appendix B. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
o 09 Fixed text per IESG review
o 08 Fixed text per Gen-Art review o 08 Fixed text per Gen-Art review
o 07 Fixed text per comments Alexey Melnikov o 07 Fixed text per comments Alexey Melnikov
o 06 Fixed text per AD comments o 06 Fixed text per AD comments
o 05 Fixed references per ID-nits o 05 Fixed references per ID-nits
o 04 Added request for IANA assignment, few text clarifications o 04 Added request for IANA assignment, few text clarifications
 End of changes. 67 change blocks. 
213 lines changed or deleted 238 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/