Re: [abfab] Naming of SAML and AAA systems
"Jim Schaad" <ietf@augustcellars.com> Wed, 19 June 2013 22:18 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D5F321F9EF1 for <abfab@ietfa.amsl.com>; Wed, 19 Jun 2013 15:18:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.548
X-Spam-Level:
X-Spam-Status: No, score=-3.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WESNrjsFR1Lj for <abfab@ietfa.amsl.com>; Wed, 19 Jun 2013 15:18:43 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id 690E421F9EE7 for <abfab@ietf.org>; Wed, 19 Jun 2013 15:18:43 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 0922D38F18; Wed, 19 Jun 2013 15:18:42 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Josh Howlett' <Josh.Howlett@ja.net>, abfab@ietf.org
References: <CDDCEA1B.1F018%Josh.Howlett@ja.net>
In-Reply-To: <CDDCEA1B.1F018%Josh.Howlett@ja.net>
Date: Wed, 19 Jun 2013 15:17:48 -0700
Message-ID: <048901ce6d3a$d52a6820$7f7f3860$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-Index: AQGe+cdcoVMzzZVOGgZcRqdZ5bf4iZmce1ww
Subject: Re: [abfab] Naming of SAML and AAA systems
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 22:18:48 -0000
> -----Original Message----- > From: abfab-bounces@ietf.org [mailto:abfab-bounces@ietf.org] On Behalf > Of Josh Howlett > Sent: Tuesday, June 11, 2013 6:52 AM > To: abfab@ietf.org > Subject: [abfab] Naming of SAML and AAA systems > > I'm currently updating abfab-aaa-saml. The document is a bit unambiguous > about the naming of system entities, specifically: > > 1. There is no attempt to correlate the AAA and SAML entity naming (the > transport and message levels respectively). I believe that we need a naming > convention such that it is trivial to reliably infer a system entity's AAA or > SAML name, given the other name. I am not sure what this statement means. We have defined an NAI identifier format for use in SAML certificates so that there is a way to have common naming for the client entities between the two systems. Are you trying to look at how to do naming for the AAA server and the SAML entity server? > > 2. We don't yet have a mechanism for naming the functional roles of SAML > entities within a realm, which I believe is needed to satisfy the attribute > request and aggregation use cases. For example, an acceptor wanting > additional attributes for an authenticated user from realm Foo from another > attribute authority in realm Bar. This is an interesting question, do you have a case where you want to do this? I am also not sure how one would go about sending such a message, are you going to use AAA for routing the SAML request based on the domain you want to send it to? Is there a reason to expect that the AAA server at that location wouldn't just somehow know what to do? Jim > > Here's my proposal: > > * A SAML system names itself using an entity identifier is a URI that encodes > the AAA system's FQDN. For example "abfab:idp.example.com" and > "abfab:rp.example.com" would name two hosts with FQDNs of > idp.example.com and rp.example.com. For an RP, this entity identifier value > (less the abfab prefix) will therefore be equal to the value of the GSS- > Acceptor-Host-Name RADIUS attribute. It is worth noting that section > 4.3 of RFC3588 specifies a URI scheme for AAA protocols, but it looks a bit > elaborate for what we need (and possibly not complete, given the RADIUS > transport options today). Irrespective of the convention we choose, RADIUS > entities emitting SAML messages MUST use it. > > * SAML system entities are able to locate SAML entities within other realms > using RADIUS by using well-known values for the user fragment of the NAI. > For example, a relying party would resolve an attribute authority in realm by > using an NAI with value "abfab:aa@example.com". This might return a SAML > assertion issued by an entity named "abfab:idp.example.com". > Similarly an authorisation PDP might be resolved using > "abfab:pdp@example.com". > > Opinions? > > Josh. > > > > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for- > profit company which is registered in England under No. 2881024 and whose > Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, > Oxfordshire. OX11 0SG. VAT No. 614944238 > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab
- [abfab] Naming of SAML and AAA systems Josh Howlett
- Re: [abfab] Naming of SAML and AAA systems David Chadwick
- Re: [abfab] Naming of SAML and AAA systems Jim Schaad
- Re: [abfab] Naming of SAML and AAA systems David Chadwick
- Re: [abfab] Naming of SAML and AAA systems Sam Hartman
- Re: [abfab] Naming of SAML and AAA systems Leif Johansson
- Re: [abfab] Naming of SAML and AAA systems Sam Hartman
- Re: [abfab] Naming of SAML and AAA systems Leif Johansson
- Re: [abfab] Naming of SAML and AAA systems Jim Schaad
- Re: [abfab] Naming of SAML and AAA systems Josh Howlett
- Re: [abfab] Naming of SAML and AAA systems Leif Johansson