One document matched: draft-ietf-abfab-aaa-saml-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc strict="no"?>
<?rfc rfcedstyle="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2865 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml">
<!ENTITY rfc3575 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3575.xml">
<!ENTITY I-D.lear-abfab-arch SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-lear-abfab-arch-02.xml">
<!ENTITY I-D.draft-jones-diameter-abfab SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-jones-diameter-abfab-00.xml">
<!ENTITY SAML2Core SYSTEM "http://xml.resource.org/public/rfc/bibxml2/reference.OASIS.saml-core-2.0-os.xml">
<!ENTITY SAML2Profiles SYSTEM "http://xml.resource.org/public/rfc/bibxml2/reference.OASIS.saml-profiles-2.0-os.xml">
<!ENTITY SAML2Bindings SYSTEM "http://xml.resource.org/public/rfc/bibxml2/reference.OASIS.saml-bindings-2.0-os.xml">
]>
<rfc category="info" docName="draft-ietf-abfab-aaa-saml-01" ipr="trust200902">
<front>
<title abbrev="An AAA Attribute for SAML Messages">A RADIUS Attribute for SAML Messages</title>
<author initials="J." surname="Howlett" fullname="Josh Howlett">
<organization>JANET(UK)</organization>
<address>
<postal>
<street>Lumen House, Library Avenue, Harwell</street>
<city>Oxford</city>
<code>OX11 0SG</code>
<country>UK</country>
</postal>
<phone>+44 1235 822363</phone>
<email>Josh.Howlett@ja.net</email>
</address>
</author>
<author initials="S." surname="Hartman" fullname="Sam Hartman">
<organization>Painless Security</organization>
<address>
<postal>
<street> </street>
<city> </city>
<code> </code>
<country> </country>
</postal>
<phone> </phone>
<email>hartmans-ietf@mit.edu</email>
</address>
</author>
<date year="2011" />
<area>Security Area</area>
<workgroup>ABFAB</workgroup>
<keyword>AAA</keyword>
<keyword>RADIUS</keyword>
<keyword>SAML</keyword>
<abstract>
<t>
This document defines the SAML-Message attribute for use with the RADIUS protocol. This
attribute is used for encapsulating Security Assertion Mark-up Language (SAML) messages.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The SAML-Message attribute has motivated by the requirements of the ABFAB architecture
<xref target="I-D.lear-abfab-arch" />. In this architecture, the attribute is used to
convey Security Assertion Mark-up Language (SAML) messages between a SAML requester and
responder.
</t>
<t>
In the SAML model, the composition of such
message exchanges with an underlying transport protocol is known as a
SAML binding. SAML already defines <xref target="OASIS.saml-bindings-2.0-os" /> a number
of mainly HTTP-based bindings, principally (although
by no means exclusively) for use with the SAML Web Browser Single Sign-On Profile
<xref target="OASIS.saml-profiles-2.0-os" />.
</t>
<t>
In the ABFAB architecture, AAA-based transport protocols are used to convey SAML messages.
This document defines a RADIUS attribute required for binding SAML to RADIUS <xref target="RFC2865"/> transport. A
<eref target="http://www.project-moonshot.org/sites/default/files/sstc-saml-binding-aaa-draft-00.pdf">draft
document</eref> exists that describes a proposed binding, but it has not yet been submitted to the
OASIS Security Services Technical Committee. This is pending conclusions on
the following aspects of the ABFAB architecture:
<list style="symbols">
<t>The use of the SAML attribute query at some arbitrary time after the initial EAP
authentication exchange.</t>
<t>The use of the SAML attribute query to obtain attributes for a principal from
more than one attribute authority.</t>
<t>Alignment with the Diameter ABFAB application <xref target="I-D.jones-diameter-abfab" />.</t>
</list>
</t>
<t>
This attribute is likely to be useful for other purposes besides ABFAB; an example of a
potential application is SAML-based authorisation for network access.
</t>
</section>
<section title="Conventions">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted
as described in RFC 2119 <xref target="RFC2119" />.
</t>
</section>
<section title="SAML Message Attribute">
<t>
This attribute contains a SAML <xref target="OASIS.saml-core-2.0-os" /> message. Where multiple SAML-Message attributes are included
in a RADIUS message, the Message fields of these attributes are to be concatenated to form
a single SAML message.
</t>
<t>
A summary of the SAML-Message format is shown below. The fields are transmitted from left to right.
</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SAML Message...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1
]]></artwork>
</figure>
<list style="hanging">
<t hangText="Type:">
TBD
</t>
<t hangText="Length:">
>=4
</t>
<t hangText="Message:">
The Message field is one or more octets containing a SAML message. If larger than a
single attribute, the SAML message data MUST be split on 253-octet boundaries over as
many attributes as necessary. The SAML message is reconstructed by concatenating the
contents of all SAML-Message attributes.
</t>
</list>
</section>
<section title="Security Considerations">
<t>
TODO
</t>
</section>
<section title="IANA Considerations">
<t>
Assignments of additional enumerated values for the RADIUS attributes defined in this document are to be processed as described in <xref target="RFC3575" />, subject to the additional requirements of a published specification.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc2865;
&SAML2Core;
&rfc3575;
</references>
<references title="Informative References">
&I-D.draft-jones-diameter-abfab;
&I-D.lear-abfab-arch;
&SAML2Bindings;
&SAML2Profiles;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:54:41 |