One document matched: draft-wierenga-ietf-sasl-saml-00.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"[ <!ENTITY RFC2119 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC4422 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4422.xml">
<!ENTITY RFC4648 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4648.xml">
<!ENTITY RFC2616 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2616.xml">
<!ENTITY RFC2234 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2234.xml">
<!ENTITY SAML20 SYSTEM "http://xml.resource.org/public/rfc/bibxml2/reference.OASIS.saml-core-2.0-os.xml">
<!ENTITY SAML20BIND SYSTEM
"http://xml.resource.org/public/rfc/bibxml2/reference.OASIS.saml-bindings-2.0-os.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc compact="no" ?> <?rfc
sortrefs="yes" ?> <?rfc strict="yes" ?> <?rfc linkmailto="yes" ?>
<rfc ipr="trust200902" docName="draft-wierenga-ietf-sasl-saml-00.txt"
category="std">
<front>
<title abbrev="A SASL Mechanism for SAML">
A SASL Mechanism for SAML
</title>
<author fullname="Klaas Wierenga" initials="K." surname="Wierenga">
<organization>Cisco Systems, Inc.</organization>
<address>
<postal>
<street>Haarlerbergweg 13-19</street>
<city>Amsterdam</city>
<code>1101 CH</code>
<region>Noord-Holland</region>
<country>Netherlands</country>
</postal>
<phone>+31 20 357 1752</phone>
<email>klaas@cisco.com</email>
</address>
</author>
<author fullname="Eliot Lear" initials="E." surname="Lear">
<organization>Cisco Systems GmbH</organization>
<address>
<postal>
<street>Richtistrasse 7</street>
<city>Wallisellen</city>
<code>CH-8304</code>
<region>ZH</region>
<country>Switzerland</country>
</postal>
<phone>+41 44 878 9200</phone>
<email>lear@cisco.com</email>
</address>
</author>
<date year="2010"/>
<abstract>
<t>
Security Assertion Markup Language (SAML) has found its
usage on the Internet for Web Single Sign-On. Simple Authentication
and
Security Layer (SASL) is an application framework to generalize
authentication. This memo specifies a SASL mechanism for SAML 2.0
that
allows the integration of existing SAML Identity Providers with
applications using SASL.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
<xref target="OASIS.saml-core-2.0-os">Security Assertion Markup
Language (SAML)</xref> is a multi-party protocol (or rather set of protocols)
that provides a means for a user to offer identity assertions and other
attributes to a relying party (RP) via the help of an identity provider
(IdP).
</t>
<t>
<xref target="RFC4422">Simple Authentication and Security Layer (SASL)</xref> is a generalized
mechanism for identifying and authenticating a user and for optionally negotiating a security layer
for subsequent protocol interactions. SASL is used by application protocols like IMAP, POP and
XMPP. The effect is to make modular authentication, so that newer
authentication mechanisms can be added as needed. This memo specifies
just such a mechanism.
</t>
<t> As currently envisioned, this mechanism
is to allow the interworking between SASL and SAML in order to assert
identity and other attributes to relying parties. As such, while servers
(as relying parties) will advertise SASL mechanisms (including SAML),
clients will select
the SAML SASL mechanism as their SASL mechanism of choice. </t>
<t>The SAML mechanism described in this memo
aims to re-use the available SAML deployment to a maximum extent and
therefore does not establish a separate authentication, integrity and
confidentiality mechanism. It is anticipated that existing security
layers, such as Transport Layer Security (TLS), will continued to be
used.</t>
<t><xref target="overview"/> describes the interworking between SAML and
SASL: this document requires enhancements to the Relying Party and to
the Client (as the two SASL communication end points) but no changes to
the SAML Identity Provider are necessary. To accomplish this goal some
indirect messaging is tunneled within SASL, and some use of external
methods is made.</t>
<t> <figure anchor="overview" title="Interworking
Architecture"> <artwork><![CDATA[
+-----------+
| |
>| Relying |
/ | Party |
// | |
// +-----------+
SAML/ // ^
HTTPs // +--|--+
// | S| |
/ S | A| |
// A | M| |
// S | L| |
// L | | |
// | | |
</ +--|--+
+------------+ v
| | +----------+
| SAML | HTTPs | |
| Identity |<--------------->| Client |
| Provider | | |
+------------+ +----------+
]]></artwork> </figure> </t>
</section>
<section anchor="terminology" title="Terminology">
<t>The key words
"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in RFC 2119 <xref target="RFC2119"/>.</t>
<t>The reader is assumed to be familiar with the terms used in the SAML
2.0 specification.</t>
</section>
<section title="Applicability for non-HTTP Use Cases">
<t>While SAML
itself is merely a markup language, its common use case these days is
with HTTP. What follows is a typical flow: </t>
<t>
<list style="numbers">
<t>The browser requests a resource of a Relying Party (RP) (via an HTTP request).</t>
<t>The RP sends an HTTP
redirect as described in Section 10.3 of <xref target="RFC2616" /> to
the browser to the Identity Provider (IdP) or an IdP discovery service with
an authentication request that contains the name of resource being
requested, some sort of a cookie and a return URL, </t>
<t> The user
authenticates to the IdP and perhaps authorizes the authentication to
the service provider. </t>
<t> In its authentication response, the IdP
redirects the browser back to the RP with an
authentication assertion, optionally along with some additional
attributes. </t>
<t> RP now has sufficient identity
information to approve access to the resource or not, and acts
accordingly. The authentication is concluded. </t>
</list> </t>
<t>When
considering this flow in the context of SASL, we note that while the
RP and the client both must change
their code to implement this SASL mechanism, the IdP must remain
untouched. The RP already has some sort of session
(probably a TCP connection) established with the client. Hence, it is
not necessary to redirect the client back to the RP. However, it may be
necessary to redirect a client application to another application or
handler. This will be discussed below.
The steps are shown from below:</t>
<t>
<list style="numbers">
<t> The server MAY advertise the SAML20 capability. </t>
<t> The client initiates a SASL authentication with SAML20</t>
<t>The server sends the client one of two responses:
<list style="numbers">
<t>a redirect to an IdP discovery service; or </t>
<t>a redirect to the IdP with a complete authentication request. </t>
</list> </t>
<t> In either case, the client MUST send an empty response. </t>
<t> The SASL client hands the redirect to either a browser or an
appropriate handler (either external or internal to the client), and the
SAML authentication proceeds externally and opaquely from the SASL process. </t>
<t> The SASL Server indicates success or failure, along with an
optional list of attributes </t>
</list> </t>
<t>Please note: What is described here is the case in which the client has not previously
authenticated. If the client can handle SAML internally it is possible that the client
already holds a SAML authentication token that can be send directly to the server, but that would
still be external to SASL.
</t>
<t>
Encompassed in step five is discovery, redirection back to the RP,
redirection to the IdP, and IdP, authentication, and IdP redirection,
based on the decision. These processes are all external to SASL. </t>
<t> With all of this in mind, the flow appears as follows: </t>
<t>
<figure anchor="flow" title="Authentication flow">
<artwork><![CDATA[
SASL Serv. Client IdP
|>-----(1)----->| | Advertisement
| | |
|<-----(2)-----<| | Initiation
| | |
|>-----(3)----->| | Response (redirect)
| | |
|<-----(4)-----<| | Empty Response
| | |
|< - - (5) - - - - - - - - - ->| Client<>IDP
| | | Indirect Auth Request
| | |
|>-----(6)----->| | Server sends Outcome with
| | | attributes
| | |
----- = SASL
- - - = HTTP or HTTPs (external to SASL)
]]>
</artwork>
</figure> </t>
</section>
<section title="SAML SASL Mechanism Specification"> <t>Based on the
previous figure, the following operations are performed with the SAML
SASL mechanism: </t>
<section title="Advertisement" anchor="advertisement"> <t> To advertise
that a server supports SAML 2.0, during application session initiation,
it
displays the name "SAML20" in the list of supported SASL
mechanisms. </t> </section>
<section title="Initiation" anchor="initiation">
<t> A client initiates a "SAML20" authentication
</t>
</section>
<section title="Server Redirect" anchor="1stresponse">
<t> The SASL Server transmits a redirect to the URI of a discovery service or an IdP
that is configured at the server, with a SAML authentication request
in the form of a SAML assertion as one of the parameters.</t>
</section>
<section title="Client Empty Response and other"
anchor="empty">
<t>
The SASL client hands
the URI it received from the server in the previous step to either a
browser or other appropriate handler to continue authentication
externally
while sending an empty response to the SASL server.
The URI is encoded according to
Section 3.4 of the <xref target="OASIS.saml-bindings-2.0-os">SAML
bindings 2.0 specification</xref>.
</t>
</section>
<section title="Outcome and parameters" anchor="outcome">
<t>The SAML
authentication having completed externally, the SASL server will
transmit the outcome</t>
</section>
</section>
<section title="Example">
<t> Suppose the user has an identity at the SAML IdP saml.example.org and a Jabber Identifier (jid)
"somenode@example.com", and wishes to authenticate his XMPP connection to xmpp.example.com (and
example.com and example.org have established a trust relation). The authentication on the wire
would then look something like the following: </t>
<t>Step 1: Client initiates stream to server: </t>
<figure><artwork>
<![CDATA[
<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com' version='1.0'>
]]>
</artwork></figure>
<t>Step 2: Server responds with a stream tag sent to client: </t>
<figure><artwork>
<![CDATA[
<stream:stream
xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'
id='some_id' from='example.com' version='1.0'>
]]>
</artwork></figure>
<t>Step 3: Server informs client of available authentication
mechanisms:</t>
<figure><artwork>
<![CDATA[
<stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>PLAIN</mechanism>
<mechanism>SAML20</mechanism>
</mechanisms>
</stream:features>
]]>
</artwork></figure>
<t>Step 4: Client selects an authentication mechanism: </t>
<figure><artwork>
<![CDATA[
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'/>
]]>
</artwork></figure>
<t>Step 5: Server sends a <xref target="RFC4648">BASE64</xref> encoded challenge to client in the
form
of an HTTP Redirect to the SAML assertion consumer service with the SAML
Authentication Request as specified in the redirection url: </t>
<figure><artwork>
<![CDATA[
<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
SFRUUC8xLjEgMzAyIE9iamVjdCBNb3ZlZApEYXRlOiAyMiBPY3QgMjAwOSAwNzowMDo0OSBH
TVQKTG9jYXRpb246IGh0dHBzOi8veG1wcC5leGFtcGxlLmNvbS9TQU1ML1hNUFAvQnJvd3Nl
cj9TQU1MUmVxdWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lp
QkpSRDBpWDJKbFl6UXlOR1poTlRFd016UXlPRGt3T1dFek1HWm1NV1V6TVRFMk9ETXlOMlkz
T1RRM05EazROQ0lnVm1WeWMybHZiajBpTWk0d0lpQkpjM04xWlVsdWMzUmhiblE5SWpJd01E
Y3RNVEl0TVRCVU1URTZNems2TXpSYUlpQkdiM0pqWlVGMWRHaHVQU0ptWVd4elpTSWdTWE5R
WVhOemFYWmxQU0ptWVd4elpTSWdVSEp2ZEc5amIyeENhVzVrYVc1blBTSjFjbTQ2YjJGemFY
TTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZbWx1WkdsdVozTTZTRlJVVUMxUVQxTlVJaUJC
YzNObGNuUnBiMjVEYjI1emRXMWxjbE5sY25acFkyVlZVa3c5SW1oMGRIQTZMeTk0YlhCd0xt
VjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFYTnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05s
SWo0S29LQ2dvRHh6WVcxc09rbHpjM1ZsY2lCNGJXeHVjenB6WVcxc1BTSjFjbTQ2YjJGemFY
TTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZWE56WlhKMGFXOXVJajRLb0tDZ29LQ2dvS0Jv
ZEhSd09pOHZlRzF3Y0M1bGVHRnRjR3hsTG1OdmJRcWdvS0NnUEM5ellXMXNPa2x6YzNWbGNq
NEtvS0Nnb0R4ellXMXNjRHBPWVcxbFNVUlFiMnhwWTNrZ2VHMXNibk02YzJGdGJIQTlJblZ5
YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB3Y205MGIyTnZiQ0lnUm05eWJX
RjBQU0oxY200NmIyRnphWE02Ym1GdFpYTTZkR002VTBGTlREb3lMakE2Ym1GdFpXbGtMV1p2
Y20xaGREcHdaWEp6YVhOMFpXNTBJaUJUVUU1aGJXVlJkV0ZzYVdacFpYSTlJbmh0Y0hBdVpY
aGhiWEJzWlM1amIyMGlJRUZzYkc5M1EzSmxZWFJsUFNKMGNuVmxJaUF2UGdxZ29LQ2dQSE5o
Yld4d09sSmxjWFZsYzNSbFpFRjFkR2h1UTI5dWRHVjRkQ0I0Yld4dWN6cHpZVzFzY0QwaWRY
SnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkRiMjF3
WVhKcGMyOXVQU0psZUdGamRDSStDcUNnb0tDZ29LQ2dQSE5oYld3NlFYVjBhRzVEYjI1MFpY
aDBRMnhoYzNOU1pXWWdlRzFzYm5NNmMyRnRiRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJq
T2xOQlRVdzZNaTR3T21GemMyVnlkR2x2YmlJK0NxQ2dvS0Nnb0tDZ29LQ2dvSFZ5YmpwdllY
TnBjenB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHBoWXpwamJHRnpjMlZ6T2xCaGMzTjNiM0pr
VUhKdmRHVmpkR1ZrVkhKaGJuTndiM0owQ3FDZ29LQ2dvS0NnUEM5ellXMXNPa0YxZEdodVEy
OXVkR1Y0ZEVOc1lYTnpVbVZtUGdxZ29LQ2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpXUkJkWFJv
YmtOdmJuUmxlSFErQ2p3dmMyRnRiSEE2UVhWMGFHNVNaWEYxWlhOMFBnbz0mUmVsYXlTdGF0
ZT0wMDQzYmZjMWJjNDUxMTBkYWUxNzAwNDAwNWIxM2EyYiZTaWdBbGc9aHR0cCUzQSUyRiUg
MkZ3d3cudzMub3JnJTJGMjAwJTJGMDklMkZ4bWxkc2lnJTIzcnNhLSBzaGExJlNpZ25hdHVy
ZT1OT1RBUkVBTFNJR05BVFVSRUJVVFRIRVJFQUxPTkVXT1VMREdPSEVSRQpDb250ZW50LVR5
cGU6IHRleHQvaHRtbDsgY2hhcnNldD1pc28tODg1OS0xCg==
</challenge>
]]>
</artwork></figure>
<t>The decoded challenge is:</t>
<figure><artwork>
<![CDATA[
HTTP/1.1 302 Object Moved Date: 22 Oct 2009 07:00:49 GMT Location:
https://xmpp.example.com/SAML/XMPP/Browser?SAMLRequest=
PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNB
TUw6Mi4wOnByb3RvY29sIiBJRD0iX2JlYzQyNGZhNTEwMzQyODkwOWEzMGZmMWUzMTE2ODMy
N2Y3OTQ3NDk4NCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMDctMTItMTBUMTE6
Mzk6MzRaIiBGb3JjZUF1dGhuPSJmYWxzZSIgSXNQYXNzaXZlPSJmYWxzZSIgUHJvdG9jb2xC
aW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NU
IiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHA6Ly94bXBwLmV4YW1wbGUuY29t
L1NBTUwvQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4KoKCgoDxzYW1sOklzc3VlciB4bWxu
czpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4KoKCgoKCg
oKBodHRwOi8veG1wcC5leGFtcGxlLmNvbQqgoKCgPC9zYW1sOklzc3Vlcj4KoKCgoDxzYW1s
cDpOYW1lSURQb2xpY3kgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIu
MDpwcm90b2NvbCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlk
LWZvcm1hdDpwZXJzaXN0ZW50IiBTUE5hbWVRdWFsaWZpZXI9InhtcHAuZXhhbXBsZS5jb20i
IEFsbG93Q3JlYXRlPSJ0cnVlIiAvPgqgoKCgPHNhbWxwOlJlcXVlc3RlZEF1dGhuQ29udGV4
dCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBD
b21wYXJpc29uPSJleGFjdCI+
CqCgoKCgoKCgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWYgeG1sbnM6c2FtbD0idXJuOm9h
c2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+
CqCgoKCgoKCgoKCgoHVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBh
c3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0CqCgoKCgoKCgPC9zYW1sOkF1dGhuQ29udGV4dENs
YXNzUmVmPgqgoKCgPC9zYW1scDpSZXF1ZXN0ZWRBdXRobkNvbnRleHQ+
Cjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pgo=&RelayState=
0043bfc1bc45110dae17004005b13a2b&SigAlg=http%3A%2F%
2Fwww.w3.org%2F200%2F09%2Fxmldsig%23rsa-
sha1&Signature=NOTAREALSIGNATUREBUTTHEREALONEWOULDGOHERE Content-Type:
text/html; charset=iso-8859-1
]]>
</artwork></figure>
<t>Where the decoded SAMLRequest looks like:</t>
<figure><artwork>
<![CDATA[
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0"
IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false"
IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL=
"http://xmpp.example.com/SAML/AssertionConsumerService">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
http://xmpp.example.com
</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="xmpp.example.com" AllowCreate="true" />
<samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact">
<saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
Ê urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
]]>
</artwork></figure>
<t>Step 5 (alt): Server returns error to client:</t>
<figure> <artwork>
<![CDATA[
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<incorrect-encoding/>
</failure>
</stream:stream>
]]>
</artwork></figure>
<t>Step 6: Client sends a BASE64 encoded empty response to the
challenge:</t>
<figure><artwork>
<![CDATA[
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
=
</response>
]]>
</artwork></figure>
<t>
[ The client now sends the URL to a browser for processing. The browser
engages in a normal SAML authentication flow (external to SASL),
like redirection to the Identity Provider (http://saml.example.org), the
user logs into http://saml.example.org, and agrees to authenticate to
xmpp.example.com. A redirect is passed back to the client browser who
sends the AuthN response to the server, containing the subject-identifier and possibly the jid as
an attribute. If the AuthN response doesn't contain the JID, the server maps
the subject-identifier received from the IdP to a jid]
</t>
<t>Step 7: Server informs client of successful authentication: </t>
<figure><artwork>
<![CDATA[
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
]]>
</artwork></figure>
<t>Step 7 (alt): Server informs client of failed authentication: </t>
<figure><artwork>
<![CDATA[
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<temporary-auth-failure/>
</failure>
</stream:stream>
]]>
</artwork></figure>
<t>Step 8: Client initiates a new stream to server: </t>
<figure><artwork>
<![CDATA[
<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com' version='1.0'>
]]>
</artwork></figure>
<t>Step 9: Server responds by sending a stream header to client along
with any additional features (or an empty features element): </t>
<figure><artwork>
<![CDATA[
<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_345' from='example.com' version='1.0'>
<stream:features>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
<session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
</stream:features>
]]>
</artwork></figure>
<t>Step 10: Client binds a resource:</t>
<figure><artwork>
<![CDATA[
<iq type='set' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>someresource</resource>
</bind>
</iq>
]]>
</artwork></figure>
<t>Step 11: Server informs client of successful resource binding:</t>
<figure><artwork>
<![CDATA[
<iq type='result' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>somenode@example.com/someresource</jid>
</bind>
</iq>
]]>
</artwork></figure>
<t>Please note: line breaks were added to the
base64 for clarity.</t>
</section>
<section title="Security Considerations">
<t>
This section will address only security considerations associated
with the use of SAML with SASL applications. For considerations
relating to SAML in general, the reader is referred to the SAML
specification and to other literature. Similarly, for general SASL
Security Considerations, the reader is referred to that
specification.
</t>
<section title="User Privacy">
<t>
The IdP is aware of each RP that a user logs into. There is nothing
in the protocol to hide this information from the IdP. It is not a
requirement to track the visits, but there is nothing that prohibits
the collection of information. SASL servers should be aware that
SAML IdPs will track - to some extent - user access to
their services.
</t>
</section>
<section title="Collusion between RPs">
<t>
It is possible for RPs to link data that they have collected on you.
By using the same identifier to log into every RP, collusion between
RPs is possible. In SAML, targeted identity was introduced.
Targeted identity allows the IdP to transform the identifier the user
typed in to an opaque identifier. This way the RP would never see the
actual user identifier, but a randomly generated identifier. This is
an option the user has to understand and decide to use if the IdP is
supporting it.
</t>
</section>
</section>
<section title="IANA Considerations"> <t> The IANA is requested to
register the following
SASL profile: </t> <t/> <t>SASL mechanism profile: SAML20</t>
<t>Security
Considerations: See this document</t> <t>Published Specification: See
this document</t> <t>For further information: Contact the authors of
this document.</t> <t>Owner/Change controller: the IETF</t> <t>Note:
None</t>
</section>
</middle>
<back>
<references title="Normative References"> &RFC2119;
&RFC2616;
&RFC4422; &RFC4648; &SAML20; &SAML20BIND;
</references>
<section title="Acknowledgments">
<t>
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh Howlett, Leif Johansson,
Diego Lopez, Hank Mauldin, RL 'Bob' Morgan and Hannes Tschofenig for their review and contributions.
</t>
</section>
<section title="Changes"> <t>This section to be removed
prior to publication.</t> <t> <list style="symbols"> <t>00 Initial
Revision. </t> </list> </t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 04:28:09 |