IETF Logo Mail Archive

Re: [abfab] Naming of SAML and AAA systems

"Jim Schaad" <ietf@augustcellars.com> Wed, 19 June 2013 22:18 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D5F321F9EF1 for <abfab@ietfa.amsl.com>; Wed, 19 Jun 2013 15:18:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.548
X-Spam-Level:
X-Spam-Status: No, score=-3.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WESNrjsFR1Lj for <abfab@ietfa.amsl.com>; Wed, 19 Jun 2013 15:18:43 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id 690E421F9EE7 for <abfab@ietf.org>; Wed, 19 Jun 2013 15:18:43 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 0922D38F18; Wed, 19 Jun 2013 15:18:42 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Josh Howlett' <Josh.Howlett@ja.net>, abfab@ietf.org
References: <CDDCEA1B.1F018%Josh.Howlett@ja.net>
In-Reply-To: <CDDCEA1B.1F018%Josh.Howlett@ja.net>
Date: Wed, 19 Jun 2013 15:17:48 -0700
Message-ID: <048901ce6d3a$d52a6820$7f7f3860$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-Index: AQGe+cdcoVMzzZVOGgZcRqdZ5bf4iZmce1ww
Subject: Re: [abfab] Naming of SAML and AAA systems
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 22:18:48 -0000

> -----Original Message-----
> From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf
> Of Josh Howlett
> Sent: Tuesday, June 11, 2013 6:52 AM
> To: abfab@ietf.org
> Subject: [abfab] Naming of SAML and AAA systems
> 
> I'm currently updating abfab-aaa-saml. The document is a bit unambiguous
> about the naming of system entities, specifically:
> 
>  1. There is no attempt to correlate the AAA and SAML entity naming (the
> transport and message levels respectively). I believe that we need a
naming
> convention such that it is trivial to reliably infer a system entity's AAA
or
> SAML name, given the other name.

I am not sure what this statement means.   We have defined an NAI identifier
format for use in SAML certificates so that there is a way to have common
naming for the client entities between the two systems.  Are you trying to
look at how to do naming for the AAA server and the SAML entity server?

> 
>  2. We don't yet have a mechanism for naming the functional roles of SAML
> entities within a realm, which I believe is needed to satisfy the
attribute
> request and aggregation use cases. For example, an acceptor wanting
> additional attributes for an authenticated user from realm Foo from
another
> attribute authority in realm Bar.

This is an interesting question, do you have a case where you want to do
this? 

I am also not sure how one would go about sending such a message, are you
going to use AAA for routing the SAML request based on the domain you want
to send it to?  Is there a reason to expect that the AAA server at that
location wouldn't just somehow know what to do?

Jim


> 
> Here's my proposal:
> 
>  * A SAML system names itself using an entity identifier is a URI that
encodes
> the AAA system's FQDN. For example "abfab:idp.example.com" and
> "abfab:rp.example.com" would name two hosts with FQDNs of
> idp.example.com and rp.example.com. For an RP, this entity identifier
value
> (less the abfab prefix) will therefore be equal to the value of the GSS-
> Acceptor-Host-Name RADIUS attribute. It is worth noting that section
> 4.3 of RFC3588 specifies a URI scheme for AAA protocols, but it looks a
bit
> elaborate for what we need (and possibly not complete, given the RADIUS
> transport options today). Irrespective of the convention we choose, RADIUS
> entities emitting SAML messages MUST use it.
> 
>  * SAML system entities are able to locate SAML entities within other
realms
> using RADIUS by using well-known values for the user fragment of the NAI.
> For example, a relying party would resolve an attribute authority in realm
by
> using an NAI with value "abfab:aa@example.com". This might return a SAML
> assertion issued by an entity named "abfab:idp.example.com".
> Similarly an authorisation PDP might be resolved using
> "abfab:pdp@example.com".
> 
> Opinions?
> 
> Josh.
> 
> 
> 
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-
> profit company which is registered in England under No. 2881024 and whose
> Registered Office is at Lumen House, Library Avenue, Harwell Oxford,
Didcot,
> Oxfordshire. OX11 0SG. VAT No. 614944238
> 
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab

v2.23.0 | Report a Bug | By Email