IETF Logo Mail Archive

Re: [abfab] Naming of SAML and AAA systems

David Chadwick <d.w.chadwick@kent.ac.uk> Fri, 14 June 2013 15:24 UTC

Return-Path: <d.w.chadwick@kent.ac.uk>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 463FE21F9BD0 for <abfab@ietfa.amsl.com>; Fri, 14 Jun 2013 08:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L2-RwP7JiHjv for <abfab@ietfa.amsl.com>; Fri, 14 Jun 2013 08:24:29 -0700 (PDT)
Received: from mx7.kent.ac.uk (mx7.kent.ac.uk [129.12.21.38]) by ietfa.amsl.com (Postfix) with ESMTP id 5715521F9B8D for <abfab@ietf.org>; Fri, 14 Jun 2013 08:24:28 -0700 (PDT)
Received: from [87.113.158.158] (helo=[192.168.1.67]) by mx7.kent.ac.uk with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72) (envelope-from <d.w.chadwick@kent.ac.uk>) id 1UnVrW-0001ij-Hr; Fri, 14 Jun 2013 16:24:26 +0100
Message-ID: <51BB35AA.4030800@kent.ac.uk>
Date: Fri, 14 Jun 2013 16:24:26 +0100
From: David Chadwick <d.w.chadwick@kent.ac.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Josh Howlett <Josh.Howlett@ja.net>
References: <CDDCEA1B.1F018%Josh.Howlett@ja.net>
In-Reply-To: <CDDCEA1B.1F018%Josh.Howlett@ja.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "abfab@ietf.org" <abfab@ietf.org>
Subject: Re: [abfab] Naming of SAML and AAA systems
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2013 15:24:34 -0000

Hi Josh

I guess you have two options
i) some sort of directory or metadata or config file in which names are 
listed and there is no requirement for them to be algorithmically 
related to each other, or
ii) having a mandatory naming convention that specifies how related 
entities are named, and from which you can determine the relationships.

Going with ii) suffers from problems if the relationships that are 
implicitly assumed in the naming convention turn out to be different in 
practice e.g. you assume 1 to 1 relationships between entities but they 
turn out to be 1 to n or n to n. Also what happens if new (sub)types of 
entities arise? You might end up having to change the code base to 
support them.

I think i) is safer, but it has additional costs of requiring support 
for the directory/discovery mechanism

regards

David

On 11/06/2013 14:52, Josh Howlett wrote:
> I'm currently updating abfab-aaa-saml. The document is a bit unambiguous
> about the naming of system entities, specifically:
>
>   1. There is no attempt to correlate the AAA and SAML entity naming (the
> transport and message levels respectively). I believe that we need a
> naming convention such that it is trivial to reliably infer a system
> entity's AAA or SAML name, given the other name.
>
>   2. We don't yet have a mechanism for naming the functional roles of SAML
> entities within a realm, which I believe is needed to satisfy the
> attribute request and aggregation use cases. For example, an acceptor
> wanting additional attributes for an authenticated user from realm Foo
> from another attribute authority in realm Bar.
>
> Here's my proposal:
>
>   * A SAML system names itself using an entity identifier is a URI that
> encodes the AAA system's FQDN. For example "abfab:idp.example.com" and
> "abfab:rp.example.com" would name two hosts with FQDNs of idp.example.com
> and rp.example.com. For an RP, this entity identifier value (less the
> abfab prefix) will therefore be equal to the value of the
> GSS-Acceptor-Host-Name RADIUS attribute. It is worth noting that section
> 4.3 of RFC3588 specifies a URI scheme for AAA protocols, but it looks a
> bit elaborate for what we need (and possibly not complete, given the
> RADIUS transport options today). Irrespective of the convention we choose,
> RADIUS entities emitting SAML messages MUST use it.
>
>   * SAML system entities are able to locate SAML entities within other
> realms using RADIUS by using well-known values for the user fragment of
> the NAI. For example, a relying party would resolve an attribute authority
> in realm by using an NAI with value "abfab:aa@example.com". This might
> return a SAML assertion issued by an entity named "abfab:idp.example.com".
> Similarly an authorisation PDP might be resolved using
> "abfab:pdp@example.com".
>
> Opinions?
>
> Josh.
>
>
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab
>

v2.23.0 | Report a Bug | By Email