draft-ietf-oauth-saml2-bearer-05.txt   draft-ietf-oauth-saml2-bearer-06.txt 
B. Campbell, Ed. B. Campbell, Ed.
Internet-Draft Ping Identity Corp. Internet-Draft Ping Identity Corp.
Intended status: Standards Track C. Mortimore Intended status: Standards Track C. Mortimore
Expires: February 2, 2012 Salesforce.com Expires: February 2, 2012 Salesforce.com
Aug 2011 Aug 2011
SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
draft-ietf-oauth-saml2-bearer-05 draft-ietf-oauth-saml2-bearer-06
Abstract Abstract
This specification defines the use of a SAML 2.0 Bearer Assertion as This specification defines the use of a SAML 2.0 Bearer Assertion as
means for requesting an OAuth 2.0 access token as well as for use as means for requesting an OAuth 2.0 access token as well as for use as
a means of client authentication. a means of client authentication.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 2, line 18 skipping to change at page 2, line 18
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4
2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4
2.1. Using SAML Assertions as Authorization Grants . . . . . . 4 2.1. Using SAML Assertions as Authorization Grants . . . . . . 4
2.2. Using SAML Assertions for Client Authentication . . . . . 4 2.2. Using SAML Assertions for Client Authentication . . . . . 4
3. Assertion Format and Processing Requirements . . . . . . . . . 5 3. Assertion Format and Processing Requirements . . . . . . . . . 5
3.1. Authorization Grant Processing . . . . . . . . . . . . . . 7 3.1. Authorization Grant Processing . . . . . . . . . . . . . . 7
3.2. Client Authentication Processing . . . . . . . . . . . . . 8 3.2. Client Authentication Processing . . . . . . . . . . . . . 8
4. Authorization Grant Example (non-normative) . . . . . . . . . 8 4. Authorization Grant Example (non-normative) . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6.1. Sub-Namspace Registration of 6.1. Sub-Namespace Registration of
urn:ietf:params:oauth:grant-type:saml2-bearer . . . . . . 10 urn:ietf:params:oauth:grant-type:saml2-bearer . . . . . . 10
6.2. Sub-Namspace Registration of 6.2. Sub-Namespace Registration of
urn:ietf:params:oauth:client-assertion-type:saml2-bearer . 10 urn:ietf:params:oauth:client-assertion-type:saml2-bearer . 10
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 11 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 11
Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 Appendix B. Document History . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7.1. Normative References . . . . . . . . . . . . . . . . . . . 14 7.1. Normative References . . . . . . . . . . . . . . . . . . . 14
7.2. Informative References . . . . . . . . . . . . . . . . . . 15 7.2. Informative References . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
skipping to change at page 7, line 8 skipping to change at page 7, line 8
Assertion can be delivered. Verification of the Address is at Assertion can be delivered. Verification of the Address is at
the discretion of the authorization server. the discretion of the authorization server.
o If the Assertion issuer authenticated the subject, the Assertion o If the Assertion issuer authenticated the subject, the Assertion
SHOULD contain a single <AuthnStatement> representing that SHOULD contain a single <AuthnStatement> representing that
authentication event. authentication event.
o If the Assertion was issued with the intention that the presenter o If the Assertion was issued with the intention that the presenter
act autonomously on behalf of the subject, an <AuthnStatement> act autonomously on behalf of the subject, an <AuthnStatement>
SHOULD NOT be included. The presenter SHOULD be identified in the SHOULD NOT be included. The presenter SHOULD be identified in the
<NamseID> or similar element, the <SubjectConfirmation> element, <NameID> or similar element, the <SubjectConfirmation> element, or
or by other available means like [OASIS.saml-deleg-cs]. by other available means like [OASIS.saml-deleg-cs].
o Other statements, in particular <AttributeStatement> elements, MAY o Other statements, in particular <AttributeStatement> elements, MAY
be included in the Assertion. be included in the Assertion.
o The Assertion MUST be digitally signed by the issuer and the o The Assertion MUST be digitally signed by the issuer and the
authorization server MUST verify the signature. authorization server MUST verify the signature.
o Encrypted elements MAY appear in place of their plain text o Encrypted elements MAY appear in place of their plain text
counterparts as defined in [OASIS.saml-core-2.0-os]. counterparts as defined in [OASIS.saml-core-2.0-os].
skipping to change at page 10, line 28 skipping to change at page 10, line 28
5. Security Considerations 5. Security Considerations
No additional considerations beyond those described within the OAuth No additional considerations beyond those described within the OAuth
2.0 Protocol Framework [I-D.ietf.oauth-v2] and in the Security and 2.0 Protocol Framework [I-D.ietf.oauth-v2] and in the Security and
Privacy Considerations for the OASIS Security Assertion Markup Privacy Considerations for the OASIS Security Assertion Markup
Language (SAML) V2.0 [OASIS.saml-sec-consider-2.0-os]. Language (SAML) V2.0 [OASIS.saml-sec-consider-2.0-os].
6. IANA Considerations 6. IANA Considerations
6.1. Sub-Namspace Registration of 6.1. Sub-Namespace Registration of
urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:saml2-bearer
This is a request to IANA to please register the value grant- This is a request to IANA to please register the value grant-
type:saml2-bearer in the registry urn:ietf:params:oauth established type:saml2-bearer in the registry urn:ietf:params:oauth established
in [I-D.ietf.oauth-urn-sub-ns] in [I-D.ietf.oauth-urn-sub-ns]
o URN: urn:ietf:params:oauth:grant-type:saml2-bearer o URN: urn:ietf:params:oauth:grant-type:saml2-bearer
o Common Name: SAML 2.0 Bearer Assertion Grant Type Profile for o Common Name: SAML 2.0 Bearer Assertion Grant Type Profile for
OAuth 2.0 OAuth 2.0
o Change controller: IETF o Change controller: IETF
o Description: [[this document]] o Description: [[this document]]
6.2. Sub-Namspace Registration of 6.2. Sub-Namespace Registration of
urn:ietf:params:oauth:client-assertion-type:saml2-bearer urn:ietf:params:oauth:client-assertion-type:saml2-bearer
This is a request to IANA to please register the value client- This is a request to IANA to please register the value client-
assertion-type:saml2-bearer in the registry urn:ietf:params:oauth assertion-type:saml2-bearer in the registry urn:ietf:params:oauth
established in [I-D.ietf.oauth-urn-sub-ns] established in [I-D.ietf.oauth-urn-sub-ns]
o URN: urn:ietf:params:oauth:client-assertion-type:saml2-bearer o URN: urn:ietf:params:oauth:client-assertion-type:saml2-bearer
o Common Name: SAML 2.0 Bearer Assertion Profile for OAuth 2.0 o Common Name: SAML 2.0 Bearer Assertion Profile for OAuth 2.0
Client Authentication Client Authentication
skipping to change at page 11, line 25 skipping to change at page 11, line 25
The following people contributed wording and concepts to this The following people contributed wording and concepts to this
document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran
Hammer-Lahav, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten Hammer-Lahav, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten
Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael
Jones, Hannes Tschofenig and David Waite. Jones, Hannes Tschofenig and David Waite.
Appendix B. Document History Appendix B. Document History
[[ to be removed by RFC editor before publication as an RFC ]] [[ to be removed by RFC editor before publication as an RFC ]]
draft-ietf-oauth-saml2-bearer-06
o Fix three typos NamseID->NameID and (2x) Namspace->Namespace
draft-ietf-oauth-saml2-bearer-05 draft-ietf-oauth-saml2-bearer-05
o Allow for subject confirmation data to be optional when Conditions o Allow for subject confirmation data to be optional when Conditions
contain audience and NotOnOrAfter contain audience and NotOnOrAfter
o Rework most of the spec to profile draft-ietf-oauth-assertions for o Rework most of the spec to profile draft-ietf-oauth-assertions for
both authn and authz including (but not limited to): both authn and authz including (but not limited to):
* remove requirement for issuer to be * remove requirement for issuer to be
urn:oasis:names:tc:SAML:2.0:nameid-format:entity urn:oasis:names:tc:SAML:2.0:nameid-format:entity
skipping to change at page 15, line 24 skipping to change at page 15, line 28
Security Assertion Markup Language (SAML) V2.0", OASIS Security Assertion Markup Language (SAML) V2.0", OASIS
Standard OASIS.saml-profiles-2.0-os, March 2005. Standard OASIS.saml-profiles-2.0-os, March 2005.
[OASIS.saml-sec-consider-2.0-os] [OASIS.saml-sec-consider-2.0-os]
Hirsch, F., Philpott, R., and E. Maler, "Security and Hirsch, F., Philpott, R., and E. Maler, "Security and
Privacy Considerations for the OASIS Security Markup Privacy Considerations for the OASIS Security Markup
Language (SAML) V2.0", OASIS Standard saml-sec-consider- Language (SAML) V2.0", OASIS Standard saml-sec-consider-
2.0-os, March 2005. 2.0-os, March 2005.
[W3C.REC-html401-19991224] [W3C.REC-html401-19991224]
Hors, A., Raggett, D., and I. Jacobs, "HTML 4.01 Hors, A., Jacobs, I., and D. Raggett, "HTML 4.01
Specification", World Wide Web Consortium Specification", World Wide Web Consortium
Recommendation REC-html401-19991224, December 1999, Recommendation REC-html401-19991224, December 1999,
<http://www.w3.org/TR/1999/REC-html401-19991224>. <http://www.w3.org/TR/1999/REC-html401-19991224>.
Authors' Addresses Authors' Addresses
Brian Campbell (editor) Brian Campbell (editor)
Ping Identity Corp. Ping Identity Corp.
Email: brian.d.campbell@gmail.com Email: brian.d.campbell@gmail.com
 End of changes. 8 change blocks. 
8 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/