idnits 2.17.1
draft-ietf-kitten-sasl-saml-03.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (June 15, 2011) is 4696 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'RFC2818' is defined on line 779, but no explicit
reference was found in the text
** Obsolete normative reference: RFC 1738 (Obsoleted by RFC 4248, RFC 4266)
** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231,
RFC 7232, RFC 7233, RFC 7234, RFC 7235)
** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)
** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525)
-- Obsolete informational reference (is this intentional?): RFC 3501
(Obsoleted by RFC 9051)
-- Obsolete informational reference (is this intentional?): RFC 3920
(Obsoleted by RFC 6120)
Summary: 5 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group K. Wierenga
3 Internet-Draft Cisco Systems, Inc.
4 Intended status: Standards Track E. Lear
5 Expires: December 17, 2011 Cisco Systems GmbH
6 S. Josefsson
7 SJD AB
8 June 15, 2011
10 A SASL and GSS-API Mechanism for SAML
11 draft-ietf-kitten-sasl-saml-03.txt
13 Abstract
15 Security Assertion Markup Language (SAML) has found its usage on the
16 Internet for Web Single Sign-On. Simple Authentication and Security
17 Layer (SASL) and the Generic Security Service Application Program
18 Interface (GSS-API) are application frameworks to generalize
19 authentication. This memo specifies a SASL mechanism and a GSS-API
20 mechanism for SAML 2.0 that allows the integration of existing SAML
21 Identity Providers with applications using SASL and GSS-API.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on December 17, 2011.
40 Copyright Notice
42 Copyright (c) 2011 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
58 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
59 1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
60 2. Applicability for non-HTTP Use Cases . . . . . . . . . . . . . 5
61 3. SAML SASL Mechanism Specification . . . . . . . . . . . . . . 8
62 3.1. Initial Response . . . . . . . . . . . . . . . . . . . . . 8
63 3.2. Authentication Request . . . . . . . . . . . . . . . . . . 8
64 3.3. Outcome and parameters . . . . . . . . . . . . . . . . . . 9
65 4. SAML GSS-API Mechanism Specification . . . . . . . . . . . . . 10
66 4.1. GSS-API Principal Name Types for SAML . . . . . . . . . . 10
67 5. Channel Binding . . . . . . . . . . . . . . . . . . . . . . . 11
68 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
69 6.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
70 6.2. IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
71 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19
72 7.1. Man in the middle and Tunneling Attacks . . . . . . . . . 19
73 7.2. Binding SAML subject identifiers to Authorization
74 Identities . . . . . . . . . . . . . . . . . . . . . . . . 19
75 7.3. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 19
76 7.4. Collusion between RPs . . . . . . . . . . . . . . . . . . 19
77 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
78 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
79 9.1. Normative References . . . . . . . . . . . . . . . . . . . 21
80 9.2. Informative References . . . . . . . . . . . . . . . . . . 22
81 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 23
82 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 24
83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
85 1. Introduction
87 Security Assertion Markup Language (SAML) 2.0
88 [OASIS.saml-core-2.0-os] is a modular specification that provides
89 various means for a user to be identified to a relying party (RP)
90 through the exchange of (typically signed) assertions issued by an
91 identity provider (IdP). It includes a number of protocols, protocol
92 bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles
93 [OASIS.saml-profiles-2.0-os] designed for different use cases.
95 Simple Authentication and Security Layer (SASL) [RFC4422] is a
96 generalized mechanism for identifying and authenticating a user and
97 for optionally negotiating a security layer for subsequent protocol
98 interactions. SASL is used by application protocols like IMAP
99 [RFC3501], POP [RFC1939] and XMPP [RFC3920]. The effect is to make
100 modular authentication, so that newer authentication mechanisms can
101 be added as needed. This memo specifies just such a mechanism.
103 The Generic Security Service Application Program Interface (GSS-API)
104 [RFC2743] provides a framework for applications to support multiple
105 authentication mechanisms through a unified programming interface.
106 This document defines a pure SASL mechanism for SAML, but it conforms
107 to the new bridge between SASL and the GSS-API called GS2 [RFC5801].
108 This means that this document defines both a SASL mechanism and a
109 GSS-API mechanism. We want to point out that the GSS-API interface
110 is optional for SASL implementers, and the GSS-API considerations can
111 be avoided in environments that uses SASL directly without GSS-API.
113 As currently envisioned, this mechanism is to allow the interworking
114 between SASL and SAML in order to assert identity and other
115 attributes to relying parties. As such, while servers (as relying
116 parties) will advertise SASL mechanisms (including SAML), clients
117 will select the SAML SASL mechanism as their SASL mechanism of
118 choice.
120 The SAML mechanism described in this memo aims to re-use the Web
121 Browser SSO profile defined in section 3.1 of
122 [OASIS.saml-profiles-2.0-os] to a maximum extent and therefore does
123 not establish a separate authentication, integrity and
124 confidentiality mechanism. The mechanisms assumes a security layer,
125 such as Transport Layer Security (TLS [RFC5246]), will continued to
126 be used. This specification is appropriate for use when a browser is
127 available.
129 Figure 1 describes the interworking between SAML and SASL: this
130 document requires enhancements to the Relying Party and to the Client
131 (as the two SASL communication end points) but no changes to the SAML
132 Identity Provider are necessary. To accomplish this goal some
133 indirect messaging is tunneled within SASL, and some use of external
134 methods is made.
136 +-----------+
137 | |
138 >| Relying |
139 / | Party |
140 // | |
141 // +-----------+
142 SAML/ // ^
143 HTTPs // +--|--+
144 // | S| |
145 / S | A| |
146 // A | M| |
147 // S | L| |
148 // L | | |
149 // | | |
150 +--|--+
151 +------------+ v
152 | | +----------+
153 | SAML | HTTPs | |
154 | Identity |<--------------->| Client |
155 | Provider | | |
156 +------------+ +----------+
158 Figure 1: Interworking Architecture
160 1.1. Terminology
162 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
163 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
164 document are to be interpreted as described in RFC 2119 [RFC2119].
166 The reader is assumed to be familiar with the terms used in the SAML
167 2.0 specification.
169 1.2. Applicability
171 Applicability Because this mechanism transports information that
172 should not be controlled by an attacker, the SAML mechanism MUST only
173 be used over channels protected by TLS, and the client MUST
174 successfully validate the server certificate, or similar integrity
175 protected and authenticated channels. [RFC5280][RFC6125]
177 2. Applicability for non-HTTP Use Cases
179 While SAML itself is merely a markup language, its common use case
180 these days is with HTTP [RFC2616] and HTML
181 [W3C.REC-html401-19991224]. What follows is a typical flow:
183 1. The browser requests a resource of a Relying Party (RP) (via an
184 HTTP request).
186 2. The RP sends an HTTP redirect as described in Section 10.3 of
187 [RFC2616] to the browser to the Identity Provider (IdP) or an IdP
188 discovery service with an authentication request that contains
189 the name of resource being requested, some sort of a cookie and a
190 return URL [RFC1738],
192 3. The user authenticates to the IdP and perhaps authorizes the
193 authentication to the service provider.
195 4. In its authentication response, the IdP redirects (via an HTTP
196 redirect) the browser back to the RP with an authentication
197 assertion (stating that the IdP vouches that the subject has
198 successfully authenticated), optionally along with some
199 additional attributes.
201 5. RP now has sufficient identity information to approve access to
202 the resource or not, and acts accordingly. The authentication is
203 concluded.
205 When considering this flow in the context of SASL, we note that while
206 the RP and the client both must change their code to implement this
207 SASL mechanism, the IdP must remain untouched. The RP already has
208 some sort of session (probably a TCP connection) established with the
209 client. However, it may be necessary to redirect a SASL client to
210 another application or handler. This will be discussed below. The
211 steps are shown from below:
213 1. The Relying Party or SASL server advertises support for the SASL
214 SAML20 mechanism to the client
216 2. The client initiates a SASL authentication with SAML20 and sends
217 a domain
219 3. The Relying Party transmits an authentication request encoded
220 using a Universal Resource Identifier (URI) as described in RFC
221 3986 [RFC3986] and an HTTP redirect to the IdP corresponding to
222 the domain
224 4. The SASL client now sends an empty response, as authentication
225 continues via the normal SAML flow.
227 5. At this point the SASL client MUST construct a URL containing the
228 content received in the previous message from the RP. This URL
229 is transmitted to the IdP either by the SASL client application
230 or an appropriate handler, such as a browser.
232 6. Next the client authenticates to the IdP. The manner in which
233 the end user is authenticated to the IdP and any policies
234 surrounding such authentication is out of scope for SAML and
235 hence for this draft. This step happens out of band from SASL.
237 7. The IdP will convey information about the success or failure of
238 the authentication back to the the RP in the form of an
239 Authentication Statement or failure, using a indirect response
240 via the client browser or the handler. This step happens out of
241 band from SASL.
243 8. The SASL Server sends an appropriate SASL response to the client,
244 along with an optional list of attributes
246 Please note: What is described here is the case in which the client
247 has not previously authenticated. It is possible that the client
248 already holds a valid SAML authentication token so that the user does
249 not need to be involved in the process anymore, but that would still
250 be external to SASL. This is classic Web Single Sign-On, in which
251 the Web Browser client presents the authentication token (cookie) to
252 the RP without renewed user authentication at the IdP.
254 With all of this in mind, the flow appears as follows:
256 SASL Serv. Client IdP
257 |>-----(1)----->| | Advertisement
258 | | |
259 |<-----(2)-----<| | Initiation
260 | | |
261 |>-----(3)----->| | Authentication Request
262 | | |
263 |<-----(4)-----<| | Empty Response
264 | | |
265 | |< - - - - - ->| Client<>IDP
266 | | | Authentication
267 | | |
268 |<- - - - - - - - - - - - - - -| Authentication Statement
269 | | |
270 |>-----(6)----->| | SASL completion with
271 | | | status
272 | | |
274 ----- = SASL
275 - - - = HTTP or HTTPs (external to SASL)
277 Figure 2: Authentication flow
279 3. SAML SASL Mechanism Specification
281 This section specifies the details of the SAML SASL mechanism.
282 Recall section 5 of [RFC4422] for what needs to be described here.
284 The name of this mechanism "SAML20". The mechanism is capable of
285 transferring an authorization identity (via "gs2-header"). The
286 mechanism does not offer a security layer.
288 The mechanism is client-first. The first mechanism message from the
289 client to the server is the "initial-response" described below. As
290 described in [RFC4422], if the application protocol does not support
291 sending a client-response together with the authentication request,
292 the server will send an empty server-challenge to let the client
293 begin.
295 The second mechanism message is from the server to the client, the
296 "authentication-request" described below.
298 The third mechanism message is from client to the server, and is the
299 fixed message consisting of "=".
301 The fourth mechanism message is from the server to the client,
302 indicating the SASL mechanism outcome described below.
304 3.1. Initial Response
306 A client initiates a "SAML20" authentication with SASL by sending the
307 GS2 header followed by the authentication identifier. The GS2 header
308 carries the optional authorization identity.
310 initial-response = gs2-header Idp-Identifier
311 IdP-Identifier = domain ; domain name with corresponding IdP
313 The "gs2-header" is specified in [RFC5801], and it is used as
314 follows. The "gs2-nonstd-flag" MUST NOT be present. Regarding the
315 channel binding "gs2-cb-flag" field, see Section 5. The "gs2-
316 authzid" carries the optional authorization identity. Domain name is
317 specified in [RFC1035].
319 3.2. Authentication Request
321 The SASL Server transmits a redirect URI to the IdP that corresponds
322 to the domain the user provided, with a SAML authentication request
323 as one of the parameters. Note: The SASL server may have a static
324 mapping of domain to corresponding IdP or alternatively a DNS-lookup
325 mechanism could be envisioned, but that is out-of-scope for this
326 document
328 authentication-request = URI
330 URI is specified in [RFC3986] and is encoded according to Section 3.4
331 (HTTP Redirect) of the SAML bindings 2.0 specification
332 [OASIS.saml-bindings-2.0-os]. The SAML authentication request is
333 encoded according to Section 3.4 (Authentication Request) of the SAML
334 core 2.0 specification [OASIS.saml-core-2.0-os].
336 The client now sends the authentication request via an HTTP GET to
337 the IdP, as if redirected to do so from an HTTP server and in
338 accordance with the Web Browser SSO profile, described in section 3.1
339 of [OASIS.saml-profiles-2.0-os]
341 The client MUST handle both user authentication to the IdP and
342 confirmation or rejection of the authentiation of the RP.
344 After all authentication has been completed by the IdP, and after the
345 response has been sent to the client, the client will relay the
346 response to the Relying Party via HTTP(S), as specified in the
347 authentication request ("AssertionConsumerServiceURL").
349 Please note: this means that the SASL server needs to implement a
350 SAML Relying Party. Also, the RP needs to correlate the TCP session
351 from the SASL client with the SAML authentication.
353 3.3. Outcome and parameters
355 The Relying Party now validates the response it received from the
356 client via HTTP or HTTPS, as specified in the SAML specification
358 The response by the Relying Party constitutes a SASL mechanism
359 outcome, and SHALL be used to set state in the server accordingly,
360 and it shall be used by the server to report that state to the SASL
361 client as described in [RFC4422] Section 3.6.
363 4. SAML GSS-API Mechanism Specification
365 This section and its sub-sections and all normative references of it
366 not referenced elsewhere in this document are INFORMATIONAL for SASL
367 implementors, but they are NORMATIVE for GSS-API implementors.
369 The SAML SASL mechanism is actually also a GSS-API mechanism. The
370 messages are the same, but
372 a) the GS2 header on the client's first message and channel binding
373 data is excluded when SAML is used as a GSS-API mechanism, and
375 b) the RFC2743 section 3.1 initial context token header is prefixed
376 to the client's first authentication message (context token).
378 The GSS-API mechanism OID for SAML is 1.3.6.1.4.1.11591.4.8.
380 SAML20 security contexts always have the mutual_state flag
381 (GSS_C_MUTUAL_FLAG) set to TRUE. SAML does not support credential
382 delegation, therefore SAML security contexts alway have the
383 deleg_state flag (GSS_C_DELEG_FLAG) set to FALSE.
385 The mutual authentication property of this mechanism relies on
386 successfully comparing the TLS server identity with the negotiated
387 target name. Since the TLS channel is managed by the application
388 outside of the GSS-API mechanism, the mechanism itself is unable to
389 confirm the name while the application is able to perform this
390 comparison for the mechanism. For this reason, applications MUST
391 match the TLS server identity with the target name, as discussed in
392 [RFC6125].
394 The SAML mechanism does not support per-message tokens or
395 GSS_Pseudo_random.
397 4.1. GSS-API Principal Name Types for SAML
399 SAML supports standard generic name syntaxes for acceptors such as
400 GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4.1). SAML
401 supports only a single name type for initiators: GSS_C_NT_USER_NAME.
402 GSS_C_NT_USER_NAME is the default name type for SAML. The query,
403 display, and exported name syntaxes for SAML principal names are all
404 the same. There are no SAML-specific name syntaxes -- applications
405 should use generic GSS-API name types such as GSS_C_NT_USER_NAME and
406 GSS_C_NT_HOSTBASED_SERVICE (see [RFC2743], Section 4). The exported
407 name token does, of course, conform to [RFC2743], Section 3.2.
409 5. Channel Binding
411 The "gs2-cb-flag" MUST use "n" because channel binding data cannot be
412 integrity protected by the SAML negotiation.
414 Note: In theory channel binding data could be inserted in the SAML
415 flow by the client and verified by the server, but that is currently
416 not supported in SAML.
418 6. Examples
420 6.1. XMPP
422 Suppose the user has an identity at the SAML IdP saml.example.org and
423 a Jabber Identifier (JID) "somenode@example.com", and wishes to
424 authenticate his XMPP connection to xmpp.example.com. The
425 authentication on the wire would then look something like the
426 following:
428 Step 1: Client initiates stream to server:
430
434 Step 2: Server responds with a stream tag sent to client:
436
440 Step 3: Server informs client of available authentication mechanisms:
442
443
444 DIGEST-MD5
445 PLAIN
446 SAML20
447
448
450 Step 4: Client selects an authentication mechanism and provides the
451 initial client response containing the BASE64 [RFC4648] encoded gs2-
452 header and domain:
454
455 biwsZXhhbXBsZS5vcmc
457 The decoded string is: n,,example.org
458 Step 5: Server sends a BASE64 encoded challenge to client in the form
459 of an HTTP Redirect to the SAML IdP corresponding to example.org
460 (https://saml.example.org) with the SAML Authentication Request as
461 specified in the redirection url:
463 aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx
464 dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
465 Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli
466 M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U
467 QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5
468 dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5
469 TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE
470 UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy
471 TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx
472 TU9qSXVNRHBpYVc1a2FXNW5jenBJVkZSUUxWQlBVMVFpRFFvZ0lDQWdRWE56
473 WlhKMGFXOXVRMjl1YzNWdFpYSlRaWEoyYVdObFZWSk1QUTBLSUNBZ0lDQWdJ
474 Q0FpYUhSMGNITTZMeTk0YlhCd0xtVjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFY
475 TnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05sSWo0TkNpQThjMkZ0YkRw
476 SmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6
477 T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSStEUW9nSUNBZ0lHaDBk
478 SEJ6T2k4dmVHMXdjQzVsZUdGdGNHeGxMbU52YlEwS0lEd3ZjMkZ0YkRwSmMz
479 TjFaWEkrRFFvZ1BITmhiV3h3T2s1aGJXVkpSRkJ2YkdsamVTQjRiV3h1Y3pw
480 ellXMXNjRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJqT2xOQlRVdzZNaTR3
481 T25CeWIzUnZZMjlzSWcwS0lDQWdJQ0JHYjNKdFlYUTlJblZ5YmpwdllYTnBj
482 enB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB1WVcxbGFXUXRabTl5YldGME9u
483 Qmxjbk5wYzNSbGJuUWlEUW9nSUNBZ0lGTlFUbUZ0WlZGMVlXeHBabWxsY2ow
484 aWVHMXdjQzVsZUdGdGNHeGxMbU52YlNJZ1FXeHNiM2REY21WaGRHVTlJblJ5
485 ZFdVaUlDOCtEUW9nUEhOaGJXeHdPbEpsY1hWbGMzUmxaRUYxZEdodVEyOXVk
486 R1Y0ZEEwS0lDQWdJQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9t
487 NWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQU5DaUFnSUNB
488 Z0lDQWdRMjl0Y0dGeWFYTnZiajBpWlhoaFkzUWlQZzBLSUNBOGMyRnRiRHBC
489 ZFhSb2JrTnZiblJsZUhSRGJHRnpjMUpsWmcwS0lDQWdJQ0FnZUcxc2JuTTZj
490 MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t
491 RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN
492 NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5
493 YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi
494 MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX
495 UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW
496 bGMzUSs=
498 The decoded challenge is:
500 https://saml.example.org/SAML/Browser?SAMLRequest=PHNhbWxwOk
501 F1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOl
502 NBTUw6Mi4wOnByb3RvY29sIg0KICAgIElEPSJfYmVjNDI0ZmE1MTAzNDI4OT
503 A5YTMwZmYxZTMxMTY4MzI3Zjc5NDc0OTg0IiBWZXJzaW9uPSIyLjAiDQogIC
504 AgSXNzdWVJbnN0YW50PSIyMDA3LTEyLTEwVDExOjM5OjM0WiIgRm9yY2VBdX
505 Robj0iZmFsc2UiDQogICAgSXNQYXNzaXZlPSJmYWxzZSINCiAgICBQcm90b2
506 NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW
507 5nczpIVFRQLVBPU1QiDQogICAgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVV
508 JMPQ0KICAgICAgICAiaHR0cHM6Ly94bXBwLmV4YW1wbGUuY29tL1NBTUwvQX
509 NzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4NCiA8c2FtbDpJc3N1ZXIgeG1sbn
510 M6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbi
511 I+DQogICAgIGh0dHBzOi8veG1wcC5leGFtcGxlLmNvbQ0KIDwvc2FtbDpJc3
512 N1ZXI+DQogPHNhbWxwOk5hbWVJRFBvbGljeSB4bWxuczpzYW1scD0idXJuOm
513 9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIg0KICAgICBGb3JtYX
514 Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0On
515 BlcnNpc3RlbnQiDQogICAgIFNQTmFtZVF1YWxpZmllcj0ieG1wcC5leGFtcG
516 xlLmNvbSIgQWxsb3dDcmVhdGU9InRydWUiIC8+DQogPHNhbWxwOlJlcXVlc3
517 RlZEF1dGhuQ29udGV4dA0KICAgICB4bWxuczpzYW1scD0idXJuOm9hc2lzOm
518 5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiANCiAgICAgICAgQ29tcGFyaX
519 Nvbj0iZXhhY3QiPg0KICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZg0KIC
520 AgICAgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm
521 Fzc2VydGlvbiI+DQogICAgICAgICAgIHVybjpvYXNpczpuYW1lczp0YzpTQU
522 1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0DQ
523 ogIDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiA8L3NhbWxwOlJlcX
524 Vlc3RlZEF1dGhuQ29udGV4dD4gDQo8L3NhbWxwOkF1dGhuUmVxdWVzdD4=
526 Where the decoded SAMLRequest looks like:
528
535
536 https://xmpp.example.com
537
538
541
544
546 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
547
548
549
551 Note: the server can use the request ID
552 (_bec424fa5103428909a30ff1e31168327f79474984) to correlate the SASL
553 session with the SAML authentication.
555 Step 5 (alt): Server returns error to client:
557
558
559
560
562 Step 6: Client sends a BASE64 encoded empty response to the
563 challenge:
565
566 =
567
569 [ The client now sends the URL to a browser for processing. The
570 browser engages in a normal SAML authentication flow (external to
571 SASL), like redirection to the Identity Provider
572 (https://saml.example.org), the user logs into
573 https://saml.example.org, and agrees to authenticate to
574 xmpp.example.com. A redirect is passed back to the client browser
575 who sends the AuthN response to the server, containing the subject-
576 identifier as an attribute. If the AuthN response doesn't contain
577 the JID, the server maps the subject-identifier received from the IdP
578 to a JID]
580 Step 7: Server informs client of successful authentication:
582
584 Step 7 (alt): Server informs client of failed authentication:
586
587
588
589
591 Step 8: Client initiates a new stream to server:
593
597 Step 9: Server responds by sending a stream header to client along
598 with any additional features (or an empty features element):
600
603
604
605
606
608 Step 10: Client binds a resource:
610
611
612 someresource
613
614
616 Step 11: Server informs client of successful resource binding:
618
619
620 somenode@example.com/someresource
621
622
624 Please note: line breaks were added to the base64 for clarity.
626 6.2. IMAP
628 The following describes an IMAP exchange. Lines beginning with 'S:'
629 indicate data sent by the server, and lines starting with 'C:'
630 indicate data sent by the client. Long lines are wrapped for
631 readability.
633 S: * OK IMAP4rev1
634 C: . CAPABILITY
635 S: * CAPABILITY IMAP4rev1 STARTTLS
636 S: . OK CAPABILITY Completed
637 C: . STARTTLS
638 S: . OK Begin TLS negotiation now
639 C: . CAPABILITY
640 S: * CAPABILITY IMAP4rev1 AUTH=SAML20
641 S: . OK CAPABILITY Completed
642 C: . AUTHENTICATE SAML20
643 S: +
644 C: biwsZXhhbXBsZS5vcmc
645 S: + aHR0cHM6Ly9zYW1sLmV4YW1wbGUub3JnL1NBTUwvQnJvd3Nlcj9TQU1MUmVx
646 dWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
647 Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnli
648 M1J2WTI5c0lnMEtJQ0FnSUVsRVBTSmZZbVZqTkRJMFptRTFNVEF6TkRJNE9U
649 QTVZVE13Wm1ZeFpUTXhNVFk0TXpJM1pqYzVORGMwT1RnMElpQldaWEp6YVc5
650 dVBTSXlMakFpRFFvZ0lDQWdTWE56ZFdWSmJuTjBZVzUwUFNJeU1EQTNMVEV5
651 TFRFd1ZERXhPak01T2pNMFdpSWdSbTl5WTJWQmRYUm9iajBpWm1Gc2MyVWlE
652 UW9nSUNBZ1NYTlFZWE56YVhabFBTSm1ZV3h6WlNJTkNpQWdJQ0JRY205MGIy
653 TnZiRUpwYm1ScGJtYzlJblZ5YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUx
654 TU9qSXVNRHBpYVc1a2FXNW5jenBJVkZSUUxWQlBVMVFpRFFvZ0lDQWdRWE56
655 WlhKMGFXOXVRMjl1YzNWdFpYSlRaWEoyYVdObFZWSk1QUTBLSUNBZ0lDQWdJ
656 Q0FpYUhSMGNITTZMeTk0YlhCd0xtVjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFY
657 TnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05sSWo0TkNpQThjMkZ0YkRw
658 SmMzTjFaWElnZUcxc2JuTTZjMkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6
659 T25Sak9sTkJUVXc2TWk0d09tRnpjMlZ5ZEdsdmJpSStEUW9nSUNBZ0lHaDBk
660 SEJ6T2k4dmVHMXdjQzVsZUdGdGNHeGxMbU52YlEwS0lEd3ZjMkZ0YkRwSmMz
661 TjFaWEkrRFFvZ1BITmhiV3h3T2s1aGJXVkpSRkJ2YkdsamVTQjRiV3h1Y3pw
662 ellXMXNjRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJqT2xOQlRVdzZNaTR3
663 T25CeWIzUnZZMjlzSWcwS0lDQWdJQ0JHYjNKdFlYUTlJblZ5YmpwdllYTnBj
664 enB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB1WVcxbGFXUXRabTl5YldGME9u
665 Qmxjbk5wYzNSbGJuUWlEUW9nSUNBZ0lGTlFUbUZ0WlZGMVlXeHBabWxsY2ow
666 aWVHMXdjQzVsZUdGdGNHeGxMbU52YlNJZ1FXeHNiM2REY21WaGRHVTlJblJ5
667 ZFdVaUlDOCtEUW9nUEhOaGJXeHdPbEpsY1hWbGMzUmxaRUYxZEdodVEyOXVk
668 R1Y0ZEEwS0lDQWdJQ0I0Yld4dWN6cHpZVzFzY0QwaWRYSnVPbTloYzJsek9t
669 NWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQU5DaUFnSUNB
670 Z0lDQWdRMjl0Y0dGeWFYTnZiajBpWlhoaFkzUWlQZzBLSUNBOGMyRnRiRHBC
671 ZFhSb2JrTnZiblJsZUhSRGJHRnpjMUpsWmcwS0lDQWdJQ0FnZUcxc2JuTTZj
672 MkZ0YkQwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09t
673 RnpjMlZ5ZEdsdmJpSStEUW9nb0NBZ0lDQjFjbTQ2YjJGemFYTTZibUZ0WlhN
674 NmRHTTZVMEZOVERveUxqQTZZV002WTJ4aGMzTmxjenBRWVhOemQyOXlaRkJ5
675 YjNSbFkzUmxaRlJ5WVc1emNHOXlkQTBLSUNBOEwzTmhiV3c2UVhWMGFHNURi
676 MjUwWlhoMFEyeGhjM05TWldZK0RRb2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpX
677 UkJkWFJvYmtOdmJuUmxlSFErSUEwS1BDOXpZVzFzY0RwQmRYUm9ibEpsY1hW
678 bGMzUSs=
679 C:
680 S: . OK Success (tls protection)
682 7. Security Considerations
684 This section will address only security considerations associated
685 with the use of SAML with SASL applications. For considerations
686 relating to SAML in general, the reader is referred to the SAML
687 specification and to other literature. Similarly, for general SASL
688 Security Considerations, the reader is referred to that
689 specification.
691 7.1. Man in the middle and Tunneling Attacks
693 This mechanism is vulnerable to man in the middle and tunneling
694 attacks unless a client always verify the server identity before
695 proceeding with authentication (see [RFC6125]). Typically TLS is
696 used to provide a secure channel with server authentication.
698 7.2. Binding SAML subject identifiers to Authorization Identities
700 As specified in [RFC4422], the server is responsible for binding
701 credentials to a specific authorization identity. It is therefore
702 necessary that only specific trusted IdPs be allowed. This is
703 typical part of SAML trust establishment between RP's and IdP.
705 7.3. User Privacy
707 The IdP is aware of each RP that a user logs into. There is nothing
708 in the protocol to hide this information from the IdP. It is not a
709 requirement to track the visits, but there is nothing that prohibits
710 the collection of information. SASL servers should be aware that
711 SAML IdPs will track - to some extent - user access to their
712 services.
714 7.4. Collusion between RPs
716 It is possible for RPs to link data that they have collected on you.
717 By using the same identifier to log into every RP, collusion between
718 RPs is possible. In SAML, targeted identity was introduced.
719 Targeted identity allows the IdP to transform the identifier the user
720 typed in to an opaque identifier. This way the RP would never see
721 the actual user identifier, but a randomly generated identifier.
722 This is an option the user has to understand and decide to use if the
723 IdP is supporting it.
725 8. IANA Considerations
727 The IANA is requested to register the following SASL profile:
729 SASL mechanism profile: SAML20
731 Security Considerations: See this document
733 Published Specification: See this document
735 For further information: Contact the authors of this document.
737 Owner/Change controller: the IETF
739 Note: None
741 9. References
743 9.1. Normative References
745 [OASIS.saml-bindings-2.0-os]
746 Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
747 Maler, "Bindings for the OASIS Security Assertion Markup
748 Language (SAML) V2.0", OASIS
749 Standard saml-bindings-2.0-os, March 2005.
751 [OASIS.saml-core-2.0-os]
752 Cantor, S., Kemp, J., Philpott, R., and E. Maler,
753 "Assertions and Protocol for the OASIS Security Assertion
754 Markup Language (SAML) V2.0", OASIS Standard saml-core-
755 2.0-os, March 2005.
757 [OASIS.saml-profiles-2.0-os]
758 Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
759 P., Philpott, R., and E. Maler, "Profiles for the OASIS
760 Security Assertion Markup Language (SAML) V2.0", OASIS
761 Standard OASIS.saml-profiles-2.0-os, March 2005.
763 [RFC1035] Mockapetris, P., "Domain names - implementation and
764 specification", STD 13, RFC 1035, November 1987.
766 [RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
767 Resource Locators (URL)", RFC 1738, December 1994.
769 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
770 Requirement Levels", BCP 14, RFC 2119, March 1997.
772 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
773 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
774 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
776 [RFC2743] Linn, J., "Generic Security Service Application Program
777 Interface Version 2, Update 1", RFC 2743, January 2000.
779 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
781 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
782 Resource Identifier (URI): Generic Syntax", STD 66,
783 RFC 3986, January 2005.
785 [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
786 Security Layer (SASL)", RFC 4422, June 2006.
788 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
789 Encodings", RFC 4648, October 2006.
791 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
792 (TLS) Protocol Version 1.2", RFC 5246, August 2008.
794 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
795 Housley, R., and W. Polk, "Internet X.509 Public Key
796 Infrastructure Certificate and Certificate Revocation List
797 (CRL) Profile", RFC 5280, May 2008.
799 [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
800 Service Application Program Interface (GSS-API) Mechanisms
801 in Simple Authentication and Security Layer (SASL): The
802 GS2 Mechanism Family", RFC 5801, July 2010.
804 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
805 Verification of Domain-Based Application Service Identity
806 within Internet Public Key Infrastructure Using X.509
807 (PKIX) Certificates in the Context of Transport Layer
808 Security (TLS)", RFC 6125, March 2011.
810 [W3C.REC-html401-19991224]
811 Hors, A., Jacobs, I., and D. Raggett, "HTML 4.01
812 Specification", World Wide Web Consortium
813 Recommendation REC-html401-19991224, December 1999,
814 .
816 9.2. Informative References
818 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
819 STD 53, RFC 1939, May 1996.
821 [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
822 4rev1", RFC 3501, March 2003.
824 [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
825 Protocol (XMPP): Core", RFC 3920, October 2004.
827 Appendix A. Acknowledgments
829 The authors would like to thank Scott Cantor, Joe Hildebrand, Josh
830 Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan,
831 Stefan Plug and Hannes Tschofenig for their review and contributions.
833 Appendix B. Changes
835 This section to be removed prior to publication.
837 o 03 Number of cosmetic changes, fixes per comments Alexey Melnikov
839 o 02 Changed IdP URI to domain per Joe Hildebrand, fixed some typos
841 o 00 WG -00 draft. Updates GSS-API section, some fixes per Scott
842 Cantor
844 o 01 Added authorization identity, added GSS-API specifics, added
845 client supplied IdP
847 o 00 Initial Revision.
849 Authors' Addresses
851 Klaas Wierenga
852 Cisco Systems, Inc.
853 Haarlerbergweg 13-19
854 Amsterdam, Noord-Holland 1101 CH
855 Netherlands
857 Phone: +31 20 357 1752
858 Email: klaas@cisco.com
860 Eliot Lear
861 Cisco Systems GmbH
862 Richtistrasse 7
863 Wallisellen, ZH CH-8304
864 Switzerland
866 Phone: +41 44 878 9200
867 Email: lear@cisco.com
869 Simon Josefsson
870 SJD AB
871 Hagagatan 24
872 Stockholm 113 47
873 SE
875 Email: simon@josefsson.org
876 URI: http://josefsson.org/