TOC |
|
Security Assertion Markup Language (SAML) has found its usage on the Internet for Web Single Sign-On. Simple Authentication and Security Layer (SASL) is an application framework to generalize authentication. This memo specifies a SASL mechanism for SAML 2.0 that allows the integration of existing SAML Identity Providers with applications using SASL.
This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 19, 2010.
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.
1.
Introduction
2.
Terminology
3.
Applicability for non-HTTP Use Cases
4.
SAML SASL Mechanism Specification
4.1.
Advertisement
4.2.
Initiation
4.3.
Server Redirect
4.4.
Client Empty Response and other
4.5.
Outcome and parameters
5.
Example
6.
Security Considerations
6.1.
User Privacy
6.2.
Collusion between RPs
7.
IANA Considerations
8.
Normative References
Appendix A.
Acknowledgments
Appendix B.
Changes
§
Authors' Addresses
TOC |
Security Assertion Markup Language (SAML) (Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.) [OASIS.saml‑core‑2.0‑os] is a multi-party protocol (or rather set of protocols) that provides a means for a user to offer identity assertions and other attributes to a relying party (RP) via the help of an identity provider (IdP).
Simple Authentication and Security Layer (SASL) (Melnikov, A. and K. Zeilenga, “Simple Authentication and Security Layer (SASL),” June 2006.) [RFC4422] is a generalized mechanism for identifying and authenticating a user and for optionally negotiating a security layer for subsequent protocol interactions. SASL is used by application protocols like IMAP, POP and XMPP. The effect is to make modular authentication, so that newer authentication mechanisms can be added as needed. This memo specifies just such a mechanism.
As currently envisioned, this mechanism is to allow the interworking between SASL and SAML in order to assert identity and other attributes to relying parties. As such, while servers (as relying parties) will advertise SASL mechanisms (including SAML), clients will select the SAML SASL mechanism as their SASL mechanism of choice.
The SAML mechanism described in this memo aims to re-use the available SAML deployment to a maximum extent and therefore does not establish a separate authentication, integrity and confidentiality mechanism. It is anticipated that existing security layers, such as Transport Layer Security (TLS), will continued to be used.
Figure 1 (Interworking Architecture) describes the interworking between SAML and SASL: this document requires enhancements to the Relying Party and to the Client (as the two SASL communication end points) but no changes to the SAML Identity Provider are necessary. To accomplish this goal some indirect messaging is tunneled within SASL, and some use of external methods is made.
+-----------+ | | >| Relying | / | Party | // | | // +-----------+ SAML/ // ^ HTTPs // +--|--+ // | S| | / S | A| | // A | M| | // S | L| | // L | | | // | | | </ +--|--+ +------------+ v | | +----------+ | SAML | HTTPs | | | Identity |<--------------->| Client | | Provider | | | +------------+ +----------+
Figure 1: Interworking
Architecture |
TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).
The reader is assumed to be familiar with the terms used in the SAML 2.0 specification.
TOC |
While SAML itself is merely a markup language, its common use case these days is with HTTP. What follows is a typical flow:
When considering this flow in the context of SASL, we note that while the RP and the client both must change their code to implement this SASL mechanism, the IdP must remain untouched. The RP already has some sort of session (probably a TCP connection) established with the client. Hence, it is not necessary to redirect the client back to the RP. However, it may be necessary to redirect a client application to another application or handler. This will be discussed below. The steps are shown from below:
Please note: What is described here is the case in which the client has not previously authenticated. If the client can handle SAML internally it is possible that the client already holds a SAML authentication token that can be send directly to the server, but that would still be external to SASL.
Encompassed in step five is discovery, redirection back to the RP, redirection to the IdP, and IdP, authentication, and IdP redirection, based on the decision. These processes are all external to SASL.
With all of this in mind, the flow appears as follows:
SASL Serv. Client IdP |>-----(1)----->| | Advertisement | | | |<-----(2)-----<| | Initiation | | | |>-----(3)----->| | Response (redirect) | | | |<-----(4)-----<| | Empty Response | | | |< - - (5) - - - - - - - - - ->| Client<>IDP | | | Indirect Auth Request | | | |>-----(6)----->| | Server sends Outcome with | | | attributes | | | ----- = SASL - - - = HTTP or HTTPs (external to SASL)
Figure 2: Authentication flow |
TOC |
Based on the previous figure, the following operations are performed with the SAML SASL mechanism:
TOC |
To advertise that a server supports SAML 2.0, during application session initiation, it displays the name "SAML20" in the list of supported SASL mechanisms.
TOC |
A client initiates a "SAML20" authentication
TOC |
The SASL Server transmits a redirect to the URI of a discovery service or an IdP that is configured at the server, with a SAML authentication request in the form of a SAML assertion as one of the parameters.
TOC |
The SASL client hands the URI it received from the server in the previous step to either a browser or other appropriate handler to continue authentication externally while sending an empty response to the SASL server. The URI is encoded according to Section 3.4 of the SAML bindings 2.0 specification (Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Maler, “Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.) [OASIS.saml‑bindings‑2.0‑os].
TOC |
The SAML authentication having completed externally, the SASL server will transmit the outcome
TOC |
Suppose the user has an identity at the SAML IdP saml.example.org and a Jabber Identifier (jid) "somenode@example.com", and wishes to authenticate his XMPP connection to xmpp.example.com (and example.com and example.org have established a trust relation). The authentication on the wire would then look something like the following:
Step 1: Client initiates stream to server:
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'>
Step 2: Server responds with a stream tag sent to client:
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='some_id' from='example.com' version='1.0'>
Step 3: Server informs client of available authentication mechanisms:
<stream:features> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>DIGEST-MD5</mechanism> <mechanism>PLAIN</mechanism> <mechanism>SAML20</mechanism> </mechanisms> </stream:features>
Step 4: Client selects an authentication mechanism:
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'/>
Step 5: Server sends a BASE64 (Josefsson, S., “The Base16, Base32, and Base64 Data Encodings,” October 2006.) [RFC4648] encoded challenge to client in the form of an HTTP Redirect to the SAML assertion consumer service with the SAML Authentication Request as specified in the redirection url:
<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> SFRUUC8xLjEgMzAyIE9iamVjdCBNb3ZlZApEYXRlOiAyMiBPY3QgMjAwOSAwNzowMDo0OSBH TVQKTG9jYXRpb246IGh0dHBzOi8veG1wcC5leGFtcGxlLmNvbS9TQU1ML1hNUFAvQnJvd3Nl cj9TQU1MUmVxdWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lp QkpSRDBpWDJKbFl6UXlOR1poTlRFd016UXlPRGt3T1dFek1HWm1NV1V6TVRFMk9ETXlOMlkz T1RRM05EazROQ0lnVm1WeWMybHZiajBpTWk0d0lpQkpjM04xWlVsdWMzUmhiblE5SWpJd01E Y3RNVEl0TVRCVU1URTZNems2TXpSYUlpQkdiM0pqWlVGMWRHaHVQU0ptWVd4elpTSWdTWE5R WVhOemFYWmxQU0ptWVd4elpTSWdVSEp2ZEc5amIyeENhVzVrYVc1blBTSjFjbTQ2YjJGemFY TTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZbWx1WkdsdVozTTZTRlJVVUMxUVQxTlVJaUJC YzNObGNuUnBiMjVEYjI1emRXMWxjbE5sY25acFkyVlZVa3c5SW1oMGRIQTZMeTk0YlhCd0xt VjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFYTnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05s SWo0S29LQ2dvRHh6WVcxc09rbHpjM1ZsY2lCNGJXeHVjenB6WVcxc1BTSjFjbTQ2YjJGemFY TTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZWE56WlhKMGFXOXVJajRLb0tDZ29LQ2dvS0Jv ZEhSd09pOHZlRzF3Y0M1bGVHRnRjR3hsTG1OdmJRcWdvS0NnUEM5ellXMXNPa2x6YzNWbGNq NEtvS0Nnb0R4ellXMXNjRHBPWVcxbFNVUlFiMnhwWTNrZ2VHMXNibk02YzJGdGJIQTlJblZ5 YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB3Y205MGIyTnZiQ0lnUm05eWJX RjBQU0oxY200NmIyRnphWE02Ym1GdFpYTTZkR002VTBGTlREb3lMakE2Ym1GdFpXbGtMV1p2 Y20xaGREcHdaWEp6YVhOMFpXNTBJaUJUVUU1aGJXVlJkV0ZzYVdacFpYSTlJbmh0Y0hBdVpY aGhiWEJzWlM1amIyMGlJRUZzYkc5M1EzSmxZWFJsUFNKMGNuVmxJaUF2UGdxZ29LQ2dQSE5o Yld4d09sSmxjWFZsYzNSbFpFRjFkR2h1UTI5dWRHVjRkQ0I0Yld4dWN6cHpZVzFzY0QwaWRY SnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkRiMjF3 WVhKcGMyOXVQU0psZUdGamRDSStDcUNnb0tDZ29LQ2dQSE5oYld3NlFYVjBhRzVEYjI1MFpY aDBRMnhoYzNOU1pXWWdlRzFzYm5NNmMyRnRiRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJq T2xOQlRVdzZNaTR3T21GemMyVnlkR2x2YmlJK0NxQ2dvS0Nnb0tDZ29LQ2dvSFZ5YmpwdllY TnBjenB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHBoWXpwamJHRnpjMlZ6T2xCaGMzTjNiM0pr VUhKdmRHVmpkR1ZrVkhKaGJuTndiM0owQ3FDZ29LQ2dvS0NnUEM5ellXMXNPa0YxZEdodVEy OXVkR1Y0ZEVOc1lYTnpVbVZtUGdxZ29LQ2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpXUkJkWFJv YmtOdmJuUmxlSFErQ2p3dmMyRnRiSEE2UVhWMGFHNVNaWEYxWlhOMFBnbz0mUmVsYXlTdGF0 ZT0wMDQzYmZjMWJjNDUxMTBkYWUxNzAwNDAwNWIxM2EyYiZTaWdBbGc9aHR0cCUzQSUyRiUg MkZ3d3cudzMub3JnJTJGMjAwJTJGMDklMkZ4bWxkc2lnJTIzcnNhLSBzaGExJlNpZ25hdHVy ZT1OT1RBUkVBTFNJR05BVFVSRUJVVFRIRVJFQUxPTkVXT1VMREdPSEVSRQpDb250ZW50LVR5 cGU6IHRleHQvaHRtbDsgY2hhcnNldD1pc28tODg1OS0xCg== </challenge>
The decoded challenge is:
HTTP/1.1 302 Object Moved Date: 22 Oct 2009 07:00:49 GMT Location: https://xmpp.example.com/SAML/XMPP/Browser?SAMLRequest= PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNB TUw6Mi4wOnByb3RvY29sIiBJRD0iX2JlYzQyNGZhNTEwMzQyODkwOWEzMGZmMWUzMTE2ODMy N2Y3OTQ3NDk4NCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMDctMTItMTBUMTE6 Mzk6MzRaIiBGb3JjZUF1dGhuPSJmYWxzZSIgSXNQYXNzaXZlPSJmYWxzZSIgUHJvdG9jb2xC aW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NU IiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHA6Ly94bXBwLmV4YW1wbGUuY29t L1NBTUwvQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4KoKCgoDxzYW1sOklzc3VlciB4bWxu czpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4KoKCgoKCg oKBodHRwOi8veG1wcC5leGFtcGxlLmNvbQqgoKCgPC9zYW1sOklzc3Vlcj4KoKCgoDxzYW1s cDpOYW1lSURQb2xpY3kgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIu MDpwcm90b2NvbCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlk LWZvcm1hdDpwZXJzaXN0ZW50IiBTUE5hbWVRdWFsaWZpZXI9InhtcHAuZXhhbXBsZS5jb20i IEFsbG93Q3JlYXRlPSJ0cnVlIiAvPgqgoKCgPHNhbWxwOlJlcXVlc3RlZEF1dGhuQ29udGV4 dCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBD b21wYXJpc29uPSJleGFjdCI+ CqCgoKCgoKCgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWYgeG1sbnM6c2FtbD0idXJuOm9h c2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+ CqCgoKCgoKCgoKCgoHVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBh c3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0CqCgoKCgoKCgPC9zYW1sOkF1dGhuQ29udGV4dENs YXNzUmVmPgqgoKCgPC9zYW1scDpSZXF1ZXN0ZWRBdXRobkNvbnRleHQ+ Cjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pgo=&RelayState= 0043bfc1bc45110dae17004005b13a2b&SigAlg=http%3A%2F% 2Fwww.w3.org%2F200%2F09%2Fxmldsig%23rsa- sha1&Signature=NOTAREALSIGNATUREBUTTHEREALONEWOULDGOHERE Content-Type: text/html; charset=iso-8859-1
Where the decoded SAMLRequest looks like:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0" IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL= "http://xmpp.example.com/SAML/AssertionConsumerService"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> http://xmpp.example.com </saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="xmpp.example.com" AllowCreate="true" /> <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"> <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> Ê urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>
Step 5 (alt): Server returns error to client:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <incorrect-encoding/> </failure> </stream:stream>
Step 6: Client sends a BASE64 encoded empty response to the challenge:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> = </response>
[ The client now sends the URL to a browser for processing. The browser engages in a normal SAML authentication flow (external to SASL), like redirection to the Identity Provider (http://saml.example.org), the user logs into http://saml.example.org, and agrees to authenticate to xmpp.example.com. A redirect is passed back to the client browser who sends the AuthN response to the server, containing the subject-identifier and possibly the jid as an attribute. If the AuthN response doesn't contain the JID, the server maps the subject-identifier received from the IdP to a jid]
Step 7: Server informs client of successful authentication:
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 7 (alt): Server informs client of failed authentication:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <temporary-auth-failure/> </failure> </stream:stream>
Step 8: Client initiates a new stream to server:
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'>
Step 9: Server responds by sending a stream header to client along with any additional features (or an empty features element):
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='c2s_345' from='example.com' version='1.0'> <stream:features> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/> <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/> </stream:features>
Step 10: Client binds a resource:
<iq type='set' id='bind_1'> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'> <resource>someresource</resource> </bind> </iq>
Step 11: Server informs client of successful resource binding:
<iq type='result' id='bind_1'> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'> <jid>somenode@example.com/someresource</jid> </bind> </iq>
Please note: line breaks were added to the base64 for clarity.
TOC |
This section will address only security considerations associated with the use of SAML with SASL applications. For considerations relating to SAML in general, the reader is referred to the SAML specification and to other literature. Similarly, for general SASL Security Considerations, the reader is referred to that specification.
TOC |
The IdP is aware of each RP that a user logs into. There is nothing in the protocol to hide this information from the IdP. It is not a requirement to track the visits, but there is nothing that prohibits the collection of information. SASL servers should be aware that SAML IdPs will track - to some extent - user access to their services.
TOC |
It is possible for RPs to link data that they have collected on you. By using the same identifier to log into every RP, collusion between RPs is possible. In SAML, targeted identity was introduced. Targeted identity allows the IdP to transform the identifier the user typed in to an opaque identifier. This way the RP would never see the actual user identifier, but a randomly generated identifier. This is an option the user has to understand and decide to use if the IdP is supporting it.
TOC |
The IANA is requested to register the following SASL profile:
SASL mechanism profile: SAML20
Security Considerations: See this document
Published Specification: See this document
For further information: Contact the authors of this document.
Owner/Change controller: the IETF
Note: None
TOC |
[OASIS.saml-bindings-2.0-os] | Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Maler, “Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0,” OASIS Standard saml-bindings-2.0-os, March 2005. |
[OASIS.saml-core-2.0-os] | Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” OASIS Standard saml-core-2.0-os, March 2005. |
[RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
[RFC2616] | Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” RFC 2616, June 1999 (TXT, PS, PDF, HTML, XML). |
[RFC4422] | Melnikov, A. and K. Zeilenga, “Simple Authentication and Security Layer (SASL),” RFC 4422, June 2006 (TXT). |
[RFC4648] | Josefsson, S., “The Base16, Base32, and Base64 Data Encodings,” RFC 4648, October 2006 (TXT). |
TOC |
The authors would like to thank Scott Cantor, Joe Hildebrand, Josh Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan and Hannes Tschofenig for their review and contributions.
TOC |
This section to be removed prior to publication.
TOC |
Klaas Wierenga | |
Cisco Systems, Inc. | |
Haarlerbergweg 13-19 | |
Amsterdam, Noord-Holland 1101 CH | |
Netherlands | |
Phone: | +31 20 357 1752 |
Email: | klaas@cisco.com |
Eliot Lear | |
Cisco Systems GmbH | |
Richtistrasse 7 | |
Wallisellen, ZH CH-8304 | |
Switzerland | |
Phone: | +41 44 878 9200 |
Email: | lear@cisco.com |