TOC 
Network Working GroupK. Wierenga
Internet-DraftCisco Systems, Inc.
Intended status: Standards TrackE. Lear
Expires: July 19, 2010Cisco Systems GmbH
 January 15, 2010


A SASL Mechanism for SAML
draft-wierenga-ietf-sasl-saml-00.txt

Abstract

Security Assertion Markup Language (SAML) has found its usage on the Internet for Web Single Sign-On. Simple Authentication and Security Layer (SASL) is an application framework to generalize authentication. This memo specifies a SASL mechanism for SAML 2.0 that allows the integration of existing SAML Identity Providers with applications using SASL.

Status of this Memo

This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on July 19, 2010.

Copyright Notice

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.



Table of Contents

1.  Introduction
2.  Terminology
3.  Applicability for non-HTTP Use Cases
4.  SAML SASL Mechanism Specification
    4.1.  Advertisement
    4.2.  Initiation
    4.3.  Server Redirect
    4.4.  Client Empty Response and other
    4.5.  Outcome and parameters
5.  Example
6.  Security Considerations
    6.1.  User Privacy
    6.2.  Collusion between RPs
7.  IANA Considerations
8.  Normative References
Appendix A.  Acknowledgments
Appendix B.  Changes
§  Authors' Addresses




 TOC 

1.  Introduction

Security Assertion Markup Language (SAML) (Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.) [OASIS.saml‑core‑2.0‑os] is a multi-party protocol (or rather set of protocols) that provides a means for a user to offer identity assertions and other attributes to a relying party (RP) via the help of an identity provider (IdP).

Simple Authentication and Security Layer (SASL) (Melnikov, A. and K. Zeilenga, “Simple Authentication and Security Layer (SASL),” June 2006.) [RFC4422] is a generalized mechanism for identifying and authenticating a user and for optionally negotiating a security layer for subsequent protocol interactions. SASL is used by application protocols like IMAP, POP and XMPP. The effect is to make modular authentication, so that newer authentication mechanisms can be added as needed. This memo specifies just such a mechanism.

As currently envisioned, this mechanism is to allow the interworking between SASL and SAML in order to assert identity and other attributes to relying parties. As such, while servers (as relying parties) will advertise SASL mechanisms (including SAML), clients will select the SAML SASL mechanism as their SASL mechanism of choice.

The SAML mechanism described in this memo aims to re-use the available SAML deployment to a maximum extent and therefore does not establish a separate authentication, integrity and confidentiality mechanism. It is anticipated that existing security layers, such as Transport Layer Security (TLS), will continued to be used.

Figure 1 (Interworking Architecture) describes the interworking between SAML and SASL: this document requires enhancements to the Relying Party and to the Client (as the two SASL communication end points) but no changes to the SAML Identity Provider are necessary. To accomplish this goal some indirect messaging is tunneled within SASL, and some use of external methods is made.





                                    +-----------+
                                    |           |
                                   >|  Relying  |
                                  / |  Party    |
                                //  |           |
                              //    +-----------+
                   SAML/    //            ^
                   HTTPs  //           +--|--+
                        //             | S|  |
                       /             S | A|  |
                     //              A | M|  |
                   //                S | L|  |
                 //                  L |  |  |
               //                      |  |  |
             </                        +--|--+
      +------------+                      v
      |            |                 +----------+
      |  SAML      |     HTTPs       |          |
      |  Identity  |<--------------->|  Client  |
      |  Provider  |                 |          |
      +------------+                 +----------+

 Figure 1: Interworking Architecture 



 TOC 

2.  Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).

The reader is assumed to be familiar with the terms used in the SAML 2.0 specification.



 TOC 

3.  Applicability for non-HTTP Use Cases

While SAML itself is merely a markup language, its common use case these days is with HTTP. What follows is a typical flow:

  1. The browser requests a resource of a Relying Party (RP) (via an HTTP request).
  2. The RP sends an HTTP redirect as described in Section 10.3 of [RFC2616] (Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” June 1999.) to the browser to the Identity Provider (IdP) or an IdP discovery service with an authentication request that contains the name of resource being requested, some sort of a cookie and a return URL,
  3. The user authenticates to the IdP and perhaps authorizes the authentication to the service provider.
  4. In its authentication response, the IdP redirects the browser back to the RP with an authentication assertion, optionally along with some additional attributes.
  5. RP now has sufficient identity information to approve access to the resource or not, and acts accordingly. The authentication is concluded.

When considering this flow in the context of SASL, we note that while the RP and the client both must change their code to implement this SASL mechanism, the IdP must remain untouched. The RP already has some sort of session (probably a TCP connection) established with the client. Hence, it is not necessary to redirect the client back to the RP. However, it may be necessary to redirect a client application to another application or handler. This will be discussed below. The steps are shown from below:

  1. The server MAY advertise the SAML20 capability.
  2. The client initiates a SASL authentication with SAML20
  3. The server sends the client one of two responses:
    1. a redirect to an IdP discovery service; or
    2. a redirect to the IdP with a complete authentication request.
  4. In either case, the client MUST send an empty response.
  5. The SASL client hands the redirect to either a browser or an appropriate handler (either external or internal to the client), and the SAML authentication proceeds externally and opaquely from the SASL process.
  6. The SASL Server indicates success or failure, along with an optional list of attributes

Please note: What is described here is the case in which the client has not previously authenticated. If the client can handle SAML internally it is possible that the client already holds a SAML authentication token that can be send directly to the server, but that would still be external to SASL.

Encompassed in step five is discovery, redirection back to the RP, redirection to the IdP, and IdP, authentication, and IdP redirection, based on the decision. These processes are all external to SASL.

With all of this in mind, the flow appears as follows:





         SASL Serv.       Client          IdP
            |>-----(1)----->|              | Advertisement
            |               |              |
            |<-----(2)-----<|              | Initiation
            |               |              |
            |>-----(3)----->|              | Response (redirect)
            |               |              |
            |<-----(4)-----<|              | Empty Response
            |               |              |
            |< - - (5) - - - - - - - - - ->| Client<>IDP
            |               |              | Indirect Auth Request
            |               |              |
            |>-----(6)----->|              | Server sends Outcome with
            |               |              | attributes
            |               |              |

       ----- = SASL
       - - - = HTTP or HTTPs (external to SASL)



 Figure 2: Authentication flow 



 TOC 

4.  SAML SASL Mechanism Specification

Based on the previous figure, the following operations are performed with the SAML SASL mechanism:



 TOC 

4.1.  Advertisement

To advertise that a server supports SAML 2.0, during application session initiation, it displays the name "SAML20" in the list of supported SASL mechanisms.



 TOC 

4.2.  Initiation

A client initiates a "SAML20" authentication



 TOC 

4.3.  Server Redirect

The SASL Server transmits a redirect to the URI of a discovery service or an IdP that is configured at the server, with a SAML authentication request in the form of a SAML assertion as one of the parameters.



 TOC 

4.4.  Client Empty Response and other

The SASL client hands the URI it received from the server in the previous step to either a browser or other appropriate handler to continue authentication externally while sending an empty response to the SASL server. The URI is encoded according to Section 3.4 of the SAML bindings 2.0 specification (Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Maler, “Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.) [OASIS.saml‑bindings‑2.0‑os].



 TOC 

4.5.  Outcome and parameters

The SAML authentication having completed externally, the SASL server will transmit the outcome



 TOC 

5.  Example

Suppose the user has an identity at the SAML IdP saml.example.org and a Jabber Identifier (jid) "somenode@example.com", and wishes to authenticate his XMPP connection to xmpp.example.com (and example.com and example.org have established a trust relation). The authentication on the wire would then look something like the following:

Step 1: Client initiates stream to server:


<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com' version='1.0'>

Step 2: Server responds with a stream tag sent to client:


<stream:stream
xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'
id='some_id' from='example.com' version='1.0'>

Step 3: Server informs client of available authentication mechanisms:


<stream:features>
 <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  <mechanism>DIGEST-MD5</mechanism>
  <mechanism>PLAIN</mechanism>
  <mechanism>SAML20</mechanism>
 </mechanisms>
</stream:features>

Step 4: Client selects an authentication mechanism:


<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SAML20'/>

Step 5: Server sends a BASE64 (Josefsson, S., “The Base16, Base32, and Base64 Data Encodings,” October 2006.) [RFC4648] encoded challenge to client in the form of an HTTP Redirect to the SAML assertion consumer service with the SAML Authentication Request as specified in the redirection url:


<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
SFRUUC8xLjEgMzAyIE9iamVjdCBNb3ZlZApEYXRlOiAyMiBPY3QgMjAwOSAwNzowMDo0OSBH
TVQKTG9jYXRpb246IGh0dHBzOi8veG1wcC5leGFtcGxlLmNvbS9TQU1ML1hNUFAvQnJvd3Nl
cj9TQU1MUmVxdWVzdD1QSE5oYld4d09rRjFkR2h1VW1WeGRXVnpkQ0I0Yld4dWN6cHpZVzFz
Y0QwaWRYSnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lp
QkpSRDBpWDJKbFl6UXlOR1poTlRFd016UXlPRGt3T1dFek1HWm1NV1V6TVRFMk9ETXlOMlkz
T1RRM05EazROQ0lnVm1WeWMybHZiajBpTWk0d0lpQkpjM04xWlVsdWMzUmhiblE5SWpJd01E
Y3RNVEl0TVRCVU1URTZNems2TXpSYUlpQkdiM0pqWlVGMWRHaHVQU0ptWVd4elpTSWdTWE5R
WVhOemFYWmxQU0ptWVd4elpTSWdVSEp2ZEc5amIyeENhVzVrYVc1blBTSjFjbTQ2YjJGemFY
TTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZbWx1WkdsdVozTTZTRlJVVUMxUVQxTlVJaUJC
YzNObGNuUnBiMjVEYjI1emRXMWxjbE5sY25acFkyVlZVa3c5SW1oMGRIQTZMeTk0YlhCd0xt
VjRZVzF3YkdVdVkyOXRMMU5CVFV3dlFYTnpaWEowYVc5dVEyOXVjM1Z0WlhKVFpYSjJhV05s
SWo0S29LQ2dvRHh6WVcxc09rbHpjM1ZsY2lCNGJXeHVjenB6WVcxc1BTSjFjbTQ2YjJGemFY
TTZibUZ0WlhNNmRHTTZVMEZOVERveUxqQTZZWE56WlhKMGFXOXVJajRLb0tDZ29LQ2dvS0Jv
ZEhSd09pOHZlRzF3Y0M1bGVHRnRjR3hsTG1OdmJRcWdvS0NnUEM5ellXMXNPa2x6YzNWbGNq
NEtvS0Nnb0R4ellXMXNjRHBPWVcxbFNVUlFiMnhwWTNrZ2VHMXNibk02YzJGdGJIQTlJblZ5
YmpwdllYTnBjenB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHB3Y205MGIyTnZiQ0lnUm05eWJX
RjBQU0oxY200NmIyRnphWE02Ym1GdFpYTTZkR002VTBGTlREb3lMakE2Ym1GdFpXbGtMV1p2
Y20xaGREcHdaWEp6YVhOMFpXNTBJaUJUVUU1aGJXVlJkV0ZzYVdacFpYSTlJbmh0Y0hBdVpY
aGhiWEJzWlM1amIyMGlJRUZzYkc5M1EzSmxZWFJsUFNKMGNuVmxJaUF2UGdxZ29LQ2dQSE5o
Yld4d09sSmxjWFZsYzNSbFpFRjFkR2h1UTI5dWRHVjRkQ0I0Yld4dWN6cHpZVzFzY0QwaWRY
SnVPbTloYzJsek9tNWhiV1Z6T25Sak9sTkJUVXc2TWk0d09uQnliM1J2WTI5c0lpQkRiMjF3
WVhKcGMyOXVQU0psZUdGamRDSStDcUNnb0tDZ29LQ2dQSE5oYld3NlFYVjBhRzVEYjI1MFpY
aDBRMnhoYzNOU1pXWWdlRzFzYm5NNmMyRnRiRDBpZFhKdU9tOWhjMmx6T201aGJXVnpPblJq
T2xOQlRVdzZNaTR3T21GemMyVnlkR2x2YmlJK0NxQ2dvS0Nnb0tDZ29LQ2dvSFZ5YmpwdllY
TnBjenB1WVcxbGN6cDBZenBUUVUxTU9qSXVNRHBoWXpwamJHRnpjMlZ6T2xCaGMzTjNiM0pr
VUhKdmRHVmpkR1ZrVkhKaGJuTndiM0owQ3FDZ29LQ2dvS0NnUEM5ellXMXNPa0YxZEdodVEy
OXVkR1Y0ZEVOc1lYTnpVbVZtUGdxZ29LQ2dQQzl6WVcxc2NEcFNaWEYxWlhOMFpXUkJkWFJv
YmtOdmJuUmxlSFErQ2p3dmMyRnRiSEE2UVhWMGFHNVNaWEYxWlhOMFBnbz0mUmVsYXlTdGF0
ZT0wMDQzYmZjMWJjNDUxMTBkYWUxNzAwNDAwNWIxM2EyYiZTaWdBbGc9aHR0cCUzQSUyRiUg
MkZ3d3cudzMub3JnJTJGMjAwJTJGMDklMkZ4bWxkc2lnJTIzcnNhLSBzaGExJlNpZ25hdHVy
ZT1OT1RBUkVBTFNJR05BVFVSRUJVVFRIRVJFQUxPTkVXT1VMREdPSEVSRQpDb250ZW50LVR5
cGU6IHRleHQvaHRtbDsgY2hhcnNldD1pc28tODg1OS0xCg==
</challenge>

The decoded challenge is:


HTTP/1.1 302 Object Moved Date: 22 Oct 2009 07:00:49 GMT Location:
https://xmpp.example.com/SAML/XMPP/Browser?SAMLRequest=
PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNB
TUw6Mi4wOnByb3RvY29sIiBJRD0iX2JlYzQyNGZhNTEwMzQyODkwOWEzMGZmMWUzMTE2ODMy
N2Y3OTQ3NDk4NCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMDctMTItMTBUMTE6
Mzk6MzRaIiBGb3JjZUF1dGhuPSJmYWxzZSIgSXNQYXNzaXZlPSJmYWxzZSIgUHJvdG9jb2xC
aW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NU
IiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHA6Ly94bXBwLmV4YW1wbGUuY29t
L1NBTUwvQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIj4KoKCgoDxzYW1sOklzc3VlciB4bWxu
czpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4KoKCgoKCg
oKBodHRwOi8veG1wcC5leGFtcGxlLmNvbQqgoKCgPC9zYW1sOklzc3Vlcj4KoKCgoDxzYW1s
cDpOYW1lSURQb2xpY3kgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIu
MDpwcm90b2NvbCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlk
LWZvcm1hdDpwZXJzaXN0ZW50IiBTUE5hbWVRdWFsaWZpZXI9InhtcHAuZXhhbXBsZS5jb20i
IEFsbG93Q3JlYXRlPSJ0cnVlIiAvPgqgoKCgPHNhbWxwOlJlcXVlc3RlZEF1dGhuQ29udGV4
dCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBD
b21wYXJpc29uPSJleGFjdCI+
CqCgoKCgoKCgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWYgeG1sbnM6c2FtbD0idXJuOm9h
c2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+
CqCgoKCgoKCgoKCgoHVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBh
c3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0CqCgoKCgoKCgPC9zYW1sOkF1dGhuQ29udGV4dENs
YXNzUmVmPgqgoKCgPC9zYW1scDpSZXF1ZXN0ZWRBdXRobkNvbnRleHQ+
Cjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pgo=&RelayState=
0043bfc1bc45110dae17004005b13a2b&SigAlg=http%3A%2F%
2Fwww.w3.org%2F200%2F09%2Fxmldsig%23rsa-
sha1&Signature=NOTAREALSIGNATUREBUTTHEREALONEWOULDGOHERE Content-Type:
text/html; charset=iso-8859-1

Where the decoded SAMLRequest looks like:


<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0"
    IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false"
    IsPassive="false"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL=
        "http://xmpp.example.com/SAML/AssertionConsumerService">
 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
     http://xmpp.example.com
 </saml:Issuer>
 <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
     SPNameQualifier="xmpp.example.com" AllowCreate="true" />
 <samlp:RequestedAuthnContext
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        Comparison="exact">
  <saml:AuthnContextClassRef
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
 Ê    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  </saml:AuthnContextClassRef>
 </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>


Step 5 (alt): Server returns error to client:


<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
 <incorrect-encoding/>
</failure>
</stream:stream>

Step 6: Client sends a BASE64 encoded empty response to the challenge:


<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
 =
</response>

[ The client now sends the URL to a browser for processing. The browser engages in a normal SAML authentication flow (external to SASL), like redirection to the Identity Provider (http://saml.example.org), the user logs into http://saml.example.org, and agrees to authenticate to xmpp.example.com. A redirect is passed back to the client browser who sends the AuthN response to the server, containing the subject-identifier and possibly the jid as an attribute. If the AuthN response doesn't contain the JID, the server maps the subject-identifier received from the IdP to a jid]

Step 7: Server informs client of successful authentication:


<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

Step 7 (alt): Server informs client of failed authentication:


<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
 <temporary-auth-failure/>
</failure>
</stream:stream>

Step 8: Client initiates a new stream to server:


<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
to='example.com' version='1.0'>

Step 9: Server responds by sending a stream header to client along with any additional features (or an empty features element):


<stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_345' from='example.com' version='1.0'>
<stream:features>
 <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
 <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
</stream:features>

Step 10: Client binds a resource:


   <iq type='set' id='bind_1'>
     <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
       <resource>someresource</resource>
     </bind>
   </iq>

Step 11: Server informs client of successful resource binding:


   <iq type='result' id='bind_1'>
     <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
       <jid>somenode@example.com/someresource</jid>
     </bind>
   </iq>

Please note: line breaks were added to the base64 for clarity.



 TOC 

6.  Security Considerations

This section will address only security considerations associated with the use of SAML with SASL applications. For considerations relating to SAML in general, the reader is referred to the SAML specification and to other literature. Similarly, for general SASL Security Considerations, the reader is referred to that specification.



 TOC 

6.1.  User Privacy

The IdP is aware of each RP that a user logs into. There is nothing in the protocol to hide this information from the IdP. It is not a requirement to track the visits, but there is nothing that prohibits the collection of information. SASL servers should be aware that SAML IdPs will track - to some extent - user access to their services.



 TOC 

6.2.  Collusion between RPs

It is possible for RPs to link data that they have collected on you. By using the same identifier to log into every RP, collusion between RPs is possible. In SAML, targeted identity was introduced. Targeted identity allows the IdP to transform the identifier the user typed in to an opaque identifier. This way the RP would never see the actual user identifier, but a randomly generated identifier. This is an option the user has to understand and decide to use if the IdP is supporting it.



 TOC 

7.  IANA Considerations

The IANA is requested to register the following SASL profile:

SASL mechanism profile: SAML20

Security Considerations: See this document

Published Specification: See this document

For further information: Contact the authors of this document.

Owner/Change controller: the IETF

Note: None



 TOC 

8. Normative References

[OASIS.saml-bindings-2.0-os] Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Maler, “Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0,” OASIS Standard saml-bindings-2.0-os, March 2005.
[OASIS.saml-core-2.0-os] Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0,” OASIS Standard saml-core-2.0-os, March 2005.
[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” RFC 2616, June 1999 (TXT, PS, PDF, HTML, XML).
[RFC4422] Melnikov, A. and K. Zeilenga, “Simple Authentication and Security Layer (SASL),” RFC 4422, June 2006 (TXT).
[RFC4648] Josefsson, S., “The Base16, Base32, and Base64 Data Encodings,” RFC 4648, October 2006 (TXT).


 TOC 

Appendix A.  Acknowledgments

The authors would like to thank Scott Cantor, Joe Hildebrand, Josh Howlett, Leif Johansson, Diego Lopez, Hank Mauldin, RL 'Bob' Morgan and Hannes Tschofenig for their review and contributions.



 TOC 

Appendix B.  Changes

This section to be removed prior to publication.



 TOC 

Authors' Addresses

  Klaas Wierenga
  Cisco Systems, Inc.
  Haarlerbergweg 13-19
  Amsterdam, Noord-Holland 1101 CH
  Netherlands
Phone:  +31 20 357 1752
Email:  klaas@cisco.com
  
  Eliot Lear
  Cisco Systems GmbH
  Richtistrasse 7
  Wallisellen, ZH CH-8304
  Switzerland
Phone:  +41 44 878 9200
Email:  lear@cisco.com