draft-ietf-oauth-saml2-bearer-07.txt   draft-ietf-oauth-saml2-bearer-08.txt 
B. Campbell, Ed. B. Campbell, Ed.
Internet-Draft Ping Identity Corp. Internet-Draft Ping Identity Corp.
Intended status: Standards Track C. Mortimore Intended status: Standards Track C. Mortimore
Expires: February 2, 2012 Salesforce.com Expires: February 2, 2012 Salesforce.com
Aug 2011 Aug 2011
SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
draft-ietf-oauth-saml2-bearer-07 draft-ietf-oauth-saml2-bearer-08
Abstract Abstract
This specification defines the use of a SAML 2.0 Bearer Assertion as This specification defines the use of a SAML 2.0 Bearer Assertion as
means for requesting an OAuth 2.0 access token as well as for use as means for requesting an OAuth 2.0 access token as well as for use as
a means of client authentication. a means of client authentication.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 3, line 40 skipping to change at page 3, line 40
grant types to support additional clients or to provide a bridge grant types to support additional clients or to provide a bridge
between OAuth and other trust frameworks. Finally, OAuth allows the between OAuth and other trust frameworks. Finally, OAuth allows the
definition of additional authentication mechanisms to be used by definition of additional authentication mechanisms to be used by
clients when interacting with the authorization server. clients when interacting with the authorization server.
The OAuth 2.0 Assertion Profile [I-D.ietf.oauth-assertions] is an The OAuth 2.0 Assertion Profile [I-D.ietf.oauth-assertions] is an
abstract extension to OAuth 2.0 that provides a general framework for abstract extension to OAuth 2.0 that provides a general framework for
the use of assertions as client credentials and/or authorization the use of assertions as client credentials and/or authorization
grants with OAuth 2.0. This specification profiles the OAuth 2.0 grants with OAuth 2.0. This specification profiles the OAuth 2.0
Assertion Profile [I-D.ietf.oauth-assertions] to define an extension Assertion Profile [I-D.ietf.oauth-assertions] to define an extension
grant type that usues a SAML 2.0 Bearer Assertion to request an OAuth grant type that uses a SAML 2.0 Bearer Assertion to request an OAuth
2.0 access token as well as for use as client credentials. The 2.0 access token as well as for use as client credentials. The
format and processing rules for the SAML Assertion defined in this format and processing rules for the SAML Assertion defined in this
specification are intentionally similar, though not identical, to specification are intentionally similar, though not identical, to
those in the Web Browser SSO Profile defined in SAML Profiles those in the Web Browser SSO Profile defined in SAML Profiles
[OASIS.saml-profiles-2.0-os]. This specification is reusing, to the [OASIS.saml-profiles-2.0-os]. This specification is reusing, to the
extent reasonable, concepts and patterns from that well-established extent reasonable, concepts and patterns from that well-established
Profile. Profile.
This document defines how a SAML Assertion can be used to request an This document defines how a SAML Assertion can be used to request an
access token when a client wishes to utilize an existing trust access token when a client wishes to utilize an existing trust
skipping to change at page 4, line 33 skipping to change at page 4, line 33
2. HTTP Parameter Bindings for Transporting Assertions 2. HTTP Parameter Bindings for Transporting Assertions
The OAuth 2.0 Assertion Profile [I-D.ietf.oauth-assertions] defines The OAuth 2.0 Assertion Profile [I-D.ietf.oauth-assertions] defines
generic HTTP parameters for transporting assertions during generic HTTP parameters for transporting assertions during
interactions with a token endpoint. This section defines the values interactions with a token endpoint. This section defines the values
of those parameters for use with SAML 2.0 Bearer Assertions. of those parameters for use with SAML 2.0 Bearer Assertions.
2.1. Using SAML Assertions as Authorization Grants 2.1. Using SAML Assertions as Authorization Grants
To use a SAML Bearer Assertion as an authorization grant, use the To use a SAML Bearer Assertion as an authorization grant, use the
following paramter values and encodings. following parameter values and encodings.
The value of "grant_type" parameter MUST be The value of "grant_type" parameter MUST be
"urn:ietf:params:oauth:grant-type:saml2-bearer" "urn:ietf:params:oauth:grant-type:saml2-bearer"
The value of the "assertion" parameter MUST contain a single SAML 2.0 The value of the "assertion" parameter MUST contain a single SAML 2.0
Assertion. The SAML Assertion XML data MUST be encoded using Assertion. The SAML Assertion XML data MUST be encoded using
base64url, where the encoding adheres to the definition in Section 5 base64url, where the encoding adheres to the definition in Section 5
of RFC4648 [RFC4648] and where the padding bits are set to zero. To of RFC4648 [RFC4648] and where the padding bits are set to zero. To
avoid the need for subsequent encoding steps (by "application/ avoid the need for subsequent encoding steps (by "application/
x-www-form-urlencoded" [W3C.REC-html401-19991224], for example), the x-www-form-urlencoded" [W3C.REC-html401-19991224], for example), the
base64url encoded data SHOULD NOT be line wrapped and pad characters base64url encoded data SHOULD NOT be line wrapped and pad characters
("=") SHOULD NOT be included. ("=") SHOULD NOT be included.
2.2. Using SAML Assertions for Client Authentication 2.2. Using SAML Assertions for Client Authentication
To use a SAML Bearer Assertion for client authentication grant, use To use a SAML Bearer Assertion for client authentication grant, use
the following paramter values and encodings. the following parameter values and encodings.
The value of "client_assertion_type" parameter MUST be The value of "client_assertion_type" parameter MUST be
"urn:ietf:params:oauth:client-assertion-type:saml2-bearer" "urn:ietf:params:oauth:client-assertion-type:saml2-bearer"
The value of the "client_assertion" parameter MUST contain a single The value of the "client_assertion" parameter MUST contain a single
SAML 2.0 Assertion. The SAML Assertion XML data MUST be encoded SAML 2.0 Assertion. The SAML Assertion XML data MUST be encoded
using base64url, where the encoding adheres to the definition in using base64url, where the encoding adheres to the definition in
Section 5 of RFC4648 [RFC4648] and where the padding bits are set to Section 5 of RFC4648 [RFC4648] and where the padding bits are set to
zero. To avoid the need for subsequent encoding steps (by zero. To avoid the need for subsequent encoding steps (by
"application/x-www-form-urlencoded" [W3C.REC-html401-19991224], for "application/x-www-form-urlencoded" [W3C.REC-html401-19991224], for
skipping to change at page 11, line 19 skipping to change at page 11, line 19
o Change controller: IETF o Change controller: IETF
o Description: [[this document]] o Description: [[this document]]
Appendix A. Contributors Appendix A. Contributors
The following people contributed wording and concepts to this The following people contributed wording and concepts to this
document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran
Hammer-Lahav, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten Hammer-Lahav, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten
Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael
Jones, Hannes Tschofenig and David Waite. Jones, Hannes Tschofenig, David Waite and Mukesh Bhatnagar.
Appendix B. Document History Appendix B. Document History
[[ to be removed by RFC editor before publication as an RFC ]] [[ to be removed by RFC editor before publication as an RFC ]]
draft-ietf-oauth-saml2-bearer-08
o fix some typos
draft-ietf-oauth-saml2-bearer-07 draft-ietf-oauth-saml2-bearer-07
o update reference from draft-campbell-oauth-urn-sub-ns to o update reference from draft-campbell-oauth-urn-sub-ns to
draft-ietf-oauth-urn-sub-ns draft-ietf-oauth-urn-sub-ns
o Updated to reference draft-ietf-oauth-v2-20 o Updated to reference draft-ietf-oauth-v2-20
draft-ietf-oauth-saml2-bearer-06 draft-ietf-oauth-saml2-bearer-06
o Fix three typos NamseID->NameID and (2x) Namspace->Namespace o Fix three typos NamseID->NameID and (2x) Namspace->Namespace
skipping to change at page 12, line 17 skipping to change at page 12, line 19
o Change title to be more generic (allowing for client authn too) o Change title to be more generic (allowing for client authn too)
o added client authentication to the abstract o added client authentication to the abstract
o register and use urn:ietf:params:oauth:grant-type:saml2-bearer for o register and use urn:ietf:params:oauth:grant-type:saml2-bearer for
grant type rather than http://oauth.net/grant_type/saml/2.0/bearer grant type rather than http://oauth.net/grant_type/saml/2.0/bearer
o register urn:ietf:params:oauth:client-assertion-type:saml2-bearer o register urn:ietf:params:oauth:client-assertion-type:saml2-bearer
o remove scope paramter as it is defined in o remove scope parameter as it is defined in
http://tools.ietf.org/html/draft-ietf-oauth-assertions http://tools.ietf.org/html/draft-ietf-oauth-assertions
o remove assertion param registration because it [should] be in o remove assertion param registration because it [should] be in
http://tools.ietf.org/html/draft-ietf-oauth-assertions http://tools.ietf.org/html/draft-ietf-oauth-assertions
o fix typo(s) and update/add references o fix typo(s) and update/add references
draft-ietf-oauth-saml2-bearer-04 draft-ietf-oauth-saml2-bearer-04
o Changed the grant_type URI from o Changed the grant_type URI from
 End of changes. 7 change blocks. 
6 lines changed or deleted 10 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/