One document matched: draft-wierenga-ietf-sasl-saml-00.txt
Network Working Group K. Wierenga
Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track E. Lear
Expires: July 19, 2010 Cisco Systems GmbH
January 15, 2010
A SASL Mechanism for SAML
draft-wierenga-ietf-sasl-saml-00.txt
Abstract
Security Assertion Markup Language (SAML) has found its usage on the
Internet for Web Single Sign-On. Simple Authentication and Security
Layer (SASL) is an application framework to generalize
authentication. This memo specifies a SASL mechanism for SAML 2.0
that allows the integration of existing SAML Identity Providers with
applications using SASL.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 19, 2010.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Wierenga & Lear Expires July 19, 2010 [Page 1]
Internet-Draft A SASL Mechanism for SAML January 2010
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Applicability for non-HTTP Use Cases . . . . . . . . . . . . . 6
4. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 8
4.1. Advertisement . . . . . . . . . . . . . . . . . . . . . . 8
4.2. Initiation . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3. Server Redirect . . . . . . . . . . . . . . . . . . . . . 8
4.4. Client Empty Response and other . . . . . . . . . . . . . 8
4.5. Outcome and parameters . . . . . . . . . . . . . . . . . . 8
5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 15
6.1. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 15
6.2. Collusion between RPs . . . . . . . . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
8. Normative References . . . . . . . . . . . . . . . . . . . . . 17
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 18
Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
Wierenga & Lear Expires July 19, 2010 [Page 2]
Internet-Draft A SASL Mechanism for SAML January 2010
1. Introduction
Security Assertion Markup Language (SAML) [OASIS.saml-core-2.0-os] is
a multi-party protocol (or rather set of protocols) that provides a
means for a user to offer identity assertions and other attributes to
a relying party (RP) via the help of an identity provider (IdP).
Simple Authentication and Security Layer (SASL) [RFC4422] is a
generalized mechanism for identifying and authenticating a user and
for optionally negotiating a security layer for subsequent protocol
interactions. SASL is used by application protocols like IMAP, POP
and XMPP. The effect is to make modular authentication, so that
newer authentication mechanisms can be added as needed. This memo
specifies just such a mechanism.
As currently envisioned, this mechanism is to allow the interworking
between SASL and SAML in order to assert identity and other
attributes to relying parties. As such, while servers (as relying
parties) will advertise SASL mechanisms (including SAML), clients
will select the SAML SASL mechanism as their SASL mechanism of
choice.
The SAML mechanism described in this memo aims to re-use the
available SAML deployment to a maximum extent and therefore does not
establish a separate authentication, integrity and confidentiality
mechanism. It is anticipated that existing security layers, such as
Transport Layer Security (TLS), will continued to be used.
Figure 1 describes the interworking between SAML and SASL: this
document requires enhancements to the Relying Party and to the Client
(as the two SASL communication end points) but no changes to the SAML
Identity Provider are necessary. To accomplish this goal some
indirect messaging is tunneled within SASL, and some use of external
methods is made.
Wierenga & Lear Expires July 19, 2010 [Page 3]
Internet-Draft A SASL Mechanism for SAML January 2010
+-----------+
| |
>| Relying |
/ | Party |
// | |
// +-----------+
SAML/ // ^
HTTPs // +--|--+
// | S| |
/ S | A| |
// A | M| |
// S | L| |
// L | | |
// | | |
</ +--|--+
+------------+ v
| | +----------+
| SAML | HTTPs | |
| Identity |<--------------->| Client |
| Provider | | |
+------------+ +----------+
Figure 1: Interworking Architecture
Wierenga & Lear Expires July 19, 2010 [Page 4]
Internet-Draft A SASL Mechanism for SAML January 2010
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
The reader is assumed to be familiar with the terms used in the SAML
2.0 specification.
Wierenga & Lear Expires July 19, 2010 [Page 5]
Internet-Draft A SASL Mechanism for SAML January 2010
3. Applicability for non-HTTP Use Cases
While SAML itself is merely a markup language, its common use case
these days is with HTTP. What follows is a typical flow:
1. The browser requests a resource of a Relying Party (RP) (via an
HTTP request).
2. The RP sends an HTTP redirect as described in Section 10.3 of
[RFC2616] to the browser to the Identity Provider (IdP) or an IdP
discovery service with an authentication request that contains
the name of resource being requested, some sort of a cookie and a
return URL,
3. The user authenticates to the IdP and perhaps authorizes the
authentication to the service provider.
4. In its authentication response, the IdP redirects the browser
back to the RP with an authentication assertion, optionally along
with some additional attributes.
5. RP now has sufficient identity information to approve access to
the resource or not, and acts accordingly. The authentication is
concluded.
When considering this flow in the context of SASL, we note that while
the RP and the client both must change their code to implement this
SASL mechanism, the IdP must remain untouched. The RP already has
some sort of session (probably a TCP connection) established with the
client. Hence, it is not necessary to redirect the client back to
the RP. However, it may be necessary to redirect a client
application to another application or handler. This will be
discussed below. The steps are shown from below:
1. The server MAY advertise the SAML20 capability.
2. The client initiates a SASL authentication with SAML20
3. The server sends the client one of two responses:
1. a redirect to an IdP discovery service; or
2. a redirect to the IdP with a complete authentication request.
4. In either case, the client MUST send an empty response.
5. The SASL client hands the redirect to either a browser or an
appropriate handler (either external or internal to the client),
Wierenga & Lear Expires July 19, 2010 [Page 6]
Internet-Draft A SASL Mechanism for SAML January 2010
and the SAML authentication proceeds externally and opaquely from
the SASL process.
6. The SASL Server indicates success or failure, along with an
optional list of attributes
Please note: What is described here is the case in which the client
has not previously authenticated. If the client can handle SAML
internally it is possible that the client already holds a SAML
authentication token that can be send directly to the server, but
that would still be external to SASL.
Encompassed in step five is discovery, redirection back to the RP,
redirection to the IdP, and IdP, authentication, and IdP redirection,
based on the decision. These processes are all external to SASL.
With all of this in mind, the flow appears as follows:
SASL Serv. Client IdP
|>-----(1)----->| | Advertisement
| | |
|<-----(2)-----<| | Initiation
| | |
|>-----(3)----->| | Response (redirect)
| | |
|<-----(4)-----<| | Empty Response
| | |
|< - - (5) - - - - - - - - - ->| Client<>IDP
| | | Indirect Auth Request
| | |
|>-----(6)----->| | Server sends Outcome with
| | | attributes
| | |
----- = SASL
- - - = HTTP or HTTPs (external to SASL)
Figure 2: Authentication flow
Wierenga & Lear Expires July 19, 2010 [Page 7]
Internet-Draft A SASL Mechanism for SAML January 2010
4. SAML SASL Mechanism Specification
Based on the previous figure, the following operations are performed
with the SAML SASL mechanism:
4.1. Advertisement
To advertise that a server supports SAML 2.0, during application
session initiation, it displays the name "SAML20" in the list of
supported SASL mechanisms.
4.2. Initiation
A client initiates a "SAML20" authentication
4.3. Server Redirect
The SASL Server transmits a redirect to the URI of a discovery
service or an IdP that is configured at the server, with a SAML
authentication request in the form of a SAML assertion as one of the
parameters.
4.4. Client Empty Response and other
The SASL client hands the URI it received from the server in the
previous step to either a browser or other appropriate handler to
continue authentication externally while sending an empty response to
the SASL server. The URI is encoded according to Section 3.4 of the
SAML bindings 2.0 specification [OASIS.saml-bindings-2.0-os].
4.5. Outcome and parameters
The SAML authentication having completed externally, the SASL server
will transmit the outcome
Wierenga & Lear Expires July 19, 2010 [Page 8]
Internet-Draft A SASL Mechanism for SAML January 2010
5. Example
Suppose the user has an identity at the SAML IdP saml.example.org and
a Jabber Identifier (jid) "somenode@example.com", and wishes to
authenticate his XMPP connection to xmpp.example.com (and example.com
and example.org have established a trust relation). The
authentication on the wire would then look something like the
following:
Step 1: Client initiates stream to server:
<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com' version='1.0'>
Step 2: Server responds with a stream tag sent to client:
<stream:stream
xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'
id='some_id' from='example.com' version='1.0'>
Step 3: Server informs client of available authentication mechanisms:
<stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>PLAIN</mechanism>
<mechanism>SAML20</mechanism>
</mechanisms>
</stream:features>
Step 4: Client selects an authentication mechanism:
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'/>
Step 5: Server sends a BASE64 [RFC4648] encoded challenge to client
in the form of an HTTP Redirect to the SAML assertion consumer
service with the SAML Authentication Request as specified in the
redirection url:
Wierenga & Lear Expires July 19, 2010 [Page 9]
Internet-Draft A SASL Mechanism for SAML January 2010
<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
SFRUUC8xLjEgMzAyIE9iamVjdCBNb3ZlZApEYXRlOiAyMiBPY3QgMjAwOSAwNzowMDo0OSBH
TVQKTG9jYXRpb246IGh0dHBzOi8veG1wcC5leGFtcGxlLmNvbS9TQU1ML1hNUFAvQnJvd3Nl
cj9TQU1MUmVxdWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lp
QkpSRDBpWDJKbFl6UXlOR1poTlRFd016UXlPRGt3T1dFek1HWm1NV1V6TVRFMk9ETXlOMlkz
T1RRM05EazROQ0lnVm1WeWMybHZiajBpTWk0d0lpQkpjM04xWlVsdWMzUmhiblE5SWpJd01E
Y3RNVEl0TVRCVU1URTZNems2TXpSYUlpQkdiM0pqWlVGMWRHaHVQU0ptWVd4elpTSWdTWE5R
WVhOemFYWmxQU0ptWVd4elpTSWdVSEp2ZEc5amIyeENhVzVrYVc1blBTSjFjbTQ2YjJGemFY
TTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZbWx1WkdsdVozTTZTRlJVVUMxUVQxTlVJaUJC
YzNObGNuUnBiMjVEYjI1emRXMWxjbE5sY25acFkyVlZVa3c5SW1oMGRIQTZMeTk0YlhCd0xt
VjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFYTnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05s
SWo0S29LQ2dvRHh6WVcxc09rbHpjM1ZsY2lCNGJXeHVjenB6WVcxc1BTSjFjbTQ2YjJGemFY
TTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZWE56WlhKMGFXOXVJajRLb0tDZ29LQ2dvS0Jv
ZEhSd09pOHZlRzF3Y0M1bGVHRnRjR3hsTG1OdmJRcWdvS0NnUEM5ellXMXNPa2x6YzNWbGNq
NEtvS0Nnb0R4ellXMXNjRHBPWVcxbFNVUlFiMnhwWTNrZ2VHMXNibk02YzJGdGJIQTlJblZ5
YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB3Y205MGIyTnZiQ0lnUm05eWJX
RjBQU0oxY200NmIyRnphWE02Ym1GdFpYTTZkR002VTBGTlREb3lMakE2Ym1GdFpXbGtMV1p2
Y20xaGREcHdaWEp6YVhOMFpXNTBJaUJUVUU1aGJXVlJkV0ZzYVdacFpYSTlJbmh0Y0hBdVpY
aGhiWEJzWlM1amIyMGlJRUZzYkc5M1EzSmxZWFJsUFNKMGNuVmxJaUF2UGdxZ29LQ2dQSE5o
Yld4d09sSmxjWFZsYzNSbFpFRjFkR2h1UTI5dWRHVjRkQ0I0Yld4dWN6cHpZVzFzY0QwaWRY
SnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkRiMjF3
WVhKcGMyOXVQU0psZUdGamRDSStDcUNnb0tDZ29LQ2dQSE5oYld3NlFYVjBhRzVEYjI1MFpY
aDBRMnhoYzNOU1pXWWdlRzFzYm5NNmMyRnRiRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJq
T2xOQlRVdzZNaTR3T21GemMyVnlkR2x2YmlJK0NxQ2dvS0Nnb0tDZ29LQ2dvSFZ5YmpwdllY
TnBjenB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHBoWXpwamJHRnpjMlZ6T2xCaGMzTjNiM0pr
VUhKdmRHVmpkR1ZrVkhKaGJuTndiM0owQ3FDZ29LQ2dvS0NnUEM5ellXMXNPa0YxZEdodVEy
OXVkR1Y0ZEVOc1lYTnpVbVZtUGdxZ29LQ2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpXUkJkWFJv
YmtOdmJuUmxlSFErQ2p3dmMyRnRiSEE2UVhWMGFHNVNaWEYxWlhOMFBnbz0mUmVsYXlTdGF0
ZT0wMDQzYmZjMWJjNDUxMTBkYWUxNzAwNDAwNWIxM2EyYiZTaWdBbGc9aHR0cCUzQSUyRiUg
MkZ3d3cudzMub3JnJTJGMjAwJTJGMDklMkZ4bWxkc2lnJTIzcnNhLSBzaGExJlNpZ25hdHVy
ZT1OT1RBUkVBTFNJR05BVFVSRUJVVFRIRVJFQUxPTkVXT1VMREdPSEVSRQpDb250ZW50LVR5
cGU6IHRleHQvaHRtbDsgY2hhcnNldD1pc28tODg1OS0xCg==
</challenge>
The decoded challenge is:
Wierenga & Lear Expires July 19, 2010 [Page 10]
Internet-Draft A SASL Mechanism for SAML January 2010
HTTP/1.1 302 Object Moved Date: 22 Oct 2009 07:00:49 GMT Location:
https://xmpp.example.com/SAML/XMPP/Browser?SAMLRequest=
PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNB
TUw6Mi4wOnByb3RvY29sIiBJRD0iX2JlYzQyNGZhNTEwMzQyODkwOWEzMGZmMWUzMTE2ODMy
N2Y3OTQ3NDk4NCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMDctMTItMTBUMTE6
Mzk6MzRaIiBGb3JjZUF1dGhuPSJmYWxzZSIgSXNQYXNzaXZlPSJmYWxzZSIgUHJvdG9jb2xC
aW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NU
IiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHA6Ly94bXBwLmV4YW1wbGUuY29t
L1NBTUwvQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4KoKCgoDxzYW1sOklzc3VlciB4bWxu
czpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4KoKCgoKCg
oKBodHRwOi8veG1wcC5leGFtcGxlLmNvbQqgoKCgPC9zYW1sOklzc3Vlcj4KoKCgoDxzYW1s
cDpOYW1lSURQb2xpY3kgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIu
MDpwcm90b2NvbCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlk
LWZvcm1hdDpwZXJzaXN0ZW50IiBTUE5hbWVRdWFsaWZpZXI9InhtcHAuZXhhbXBsZS5jb20i
IEFsbG93Q3JlYXRlPSJ0cnVlIiAvPgqgoKCgPHNhbWxwOlJlcXVlc3RlZEF1dGhuQ29udGV4
dCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBD
b21wYXJpc29uPSJleGFjdCI+
CqCgoKCgoKCgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWYgeG1sbnM6c2FtbD0idXJuOm9h
c2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+
CqCgoKCgoKCgoKCgoHVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBh
c3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0CqCgoKCgoKCgPC9zYW1sOkF1dGhuQ29udGV4dENs
YXNzUmVmPgqgoKCgPC9zYW1scDpSZXF1ZXN0ZWRBdXRobkNvbnRleHQ+
Cjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pgo=&RelayState=
0043bfc1bc45110dae17004005b13a2b&SigAlg=http%3A%2F%
2Fwww.w3.org%2F200%2F09%2Fxmldsig%23rsa-
sha1&Signature=NOTAREALSIGNATUREBUTTHEREALONEWOULDGOHERE Content-Type:
text/html; charset=iso-8859-1
Where the decoded SAMLRequest looks like:
Wierenga & Lear Expires July 19, 2010 [Page 11]
Internet-Draft A SASL Mechanism for SAML January 2010
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0"
IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false"
IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL=
"http://xmpp.example.com/SAML/AssertionConsumerService">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
http://xmpp.example.com
</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="xmpp.example.com" AllowCreate="true" />
<samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact">
<saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
E urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Step 5 (alt): Server returns error to client:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<incorrect-encoding/>
</failure>
</stream:stream>
Step 6: Client sends a BASE64 encoded empty response to the
challenge:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
=
</response>
[ The client now sends the URL to a browser for processing. The
browser engages in a normal SAML authentication flow (external to
SASL), like redirection to the Identity Provider
(http://saml.example.org), the user logs into
http://saml.example.org, and agrees to authenticate to
Wierenga & Lear Expires July 19, 2010 [Page 12]
Internet-Draft A SASL Mechanism for SAML January 2010
xmpp.example.com. A redirect is passed back to the client browser
who sends the AuthN response to the server, containing the subject-
identifier and possibly the jid as an attribute. If the AuthN
response doesn't contain the JID, the server maps the subject-
identifier received from the IdP to a jid]
Step 7: Server informs client of successful authentication:
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 7 (alt): Server informs client of failed authentication:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<temporary-auth-failure/>
</failure>
</stream:stream>
Step 8: Client initiates a new stream to server:
<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com' version='1.0'>
Step 9: Server responds by sending a stream header to client along
with any additional features (or an empty features element):
<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_345' from='example.com' version='1.0'>
<stream:features>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
<session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
</stream:features>
Step 10: Client binds a resource:
<iq type='set' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>someresource</resource>
Wierenga & Lear Expires July 19, 2010 [Page 13]
Internet-Draft A SASL Mechanism for SAML January 2010
</bind>
</iq>
Step 11: Server informs client of successful resource binding:
<iq type='result' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>somenode@example.com/someresource</jid>
</bind>
</iq>
Please note: line breaks were added to the base64 for clarity.
Wierenga & Lear Expires July 19, 2010 [Page 14]
Internet-Draft A SASL Mechanism for SAML January 2010
6. Security Considerations
This section will address only security considerations associated
with the use of SAML with SASL applications. For considerations
relating to SAML in general, the reader is referred to the SAML
specification and to other literature. Similarly, for general SASL
Security Considerations, the reader is referred to that
specification.
6.1. User Privacy
The IdP is aware of each RP that a user logs into. There is nothing
in the protocol to hide this information from the IdP. It is not a
requirement to track the visits, but there is nothing that prohibits
the collection of information. SASL servers should be aware that
SAML IdPs will track - to some extent - user access to their
services.
6.2. Collusion between RPs
It is possible for RPs to link data that they have collected on you.
By using the same identifier to log into every RP, collusion between
RPs is possible. In SAML, targeted identity was introduced.
Targeted identity allows the IdP to transform the identifier the user
typed in to an opaque identifier. This way the RP would never see
the actual user identifier, but a randomly generated identifier.
This is an option the user has to understand and decide to use if the
IdP is supporting it.
Wierenga & Lear Expires July 19, 2010 [Page 15]
Internet-Draft A SASL Mechanism for SAML January 2010
7. IANA Considerations
The IANA is requested to register the following SASL profile:
SASL mechanism profile: SAML20
Security Considerations: See this document
Published Specification: See this document
For further information: Contact the authors of this document.
Owner/Change controller: the IETF
Note: None
Wierenga & Lear Expires July 19, 2010 [Page 16]
Internet-Draft A SASL Mechanism for SAML January 2010
8. Normative References
[OASIS.saml-bindings-2.0-os]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Maler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS
Standard saml-bindings-2.0-os, March 2005.
[OASIS.saml-core-2.0-os]
Cantor, S., Kemp, J., Philpott, R., and E. Maler,
"Assertions and Protocol for the OASIS Security Assertion
Markup Language (SAML) V2.0", OASIS Standard saml-core-
2.0-os, March 2005.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
Wierenga & Lear Expires July 19, 2010 [Page 17]
Internet-Draft A SASL Mechanism for SAML January 2010
Appendix A. Acknowledgments
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan
and Hannes Tschofenig for their review and contributions.
Wierenga & Lear Expires July 19, 2010 [Page 18]
Internet-Draft A SASL Mechanism for SAML January 2010
Appendix B. Changes
This section to be removed prior to publication.
o 00 Initial Revision.
Wierenga & Lear Expires July 19, 2010 [Page 19]
Internet-Draft A SASL Mechanism for SAML January 2010
Authors' Addresses
Klaas Wierenga
Cisco Systems, Inc.
Haarlerbergweg 13-19
Amsterdam, Noord-Holland 1101 CH
Netherlands
Phone: +31 20 357 1752
Email: klaas@cisco.com
Eliot Lear
Cisco Systems GmbH
Richtistrasse 7
Wallisellen, ZH CH-8304
Switzerland
Phone: +41 44 878 9200
Email: lear@cisco.com
Wierenga & Lear Expires July 19, 2010 [Page 20]
| PAFTECH AB 2003-2026 | 2026-04-24 03:09:33 |