Re: [abfab] EAP naming attribute document
Josh Howlett <Josh.Howlett@ja.net> Thu, 18 August 2011 09:23 UTC
Return-Path: <Josh.Howlett@ja.net>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C384C21F8A64 for <abfab@ietfa.amsl.com>; Thu, 18 Aug 2011 02:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.849
X-Spam-Level:
X-Spam-Status: No, score=-102.849 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xF5TCDGIlEYS for <abfab@ietfa.amsl.com>; Thu, 18 Aug 2011 02:23:57 -0700 (PDT)
Received: from har003676.ukerna.ac.uk (har003676.ukerna.ac.uk [194.82.140.75]) by ietfa.amsl.com (Postfix) with ESMTP id 4E15221F8AC9 for <abfab@ietf.org>; Thu, 18 Aug 2011 02:23:56 -0700 (PDT)
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 578894A6B64_E4CDA5FB; Thu, 18 Aug 2011 09:24:47 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id E8B204A6B62_E4CDA5EF; Thu, 18 Aug 2011 09:24:46 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.01.0289.001; Thu, 18 Aug 2011 10:24:46 +0100
From: Josh Howlett <Josh.Howlett@ja.net>
To: Jim Schaad <ietf@augustcellars.com>, Sam Hartman <hartmans@painless-security.com>
Thread-Topic: [abfab] EAP naming attribute document
Thread-Index: AcxdLL7/uxu2AHvmQ1SmW8sa3fWK/AAECpGnAAqQaoAACF/UAA==
Date: Thu, 18 Aug 2011 09:24:45 +0000
Message-ID: <CA728FF2.284D3%josh.howlett@ja.net>
In-Reply-To: <00a801cc5d6f$8eebc1b0$acc34510$@augustcellars.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.12.0.110505
x-originating-ip: [194.82.140.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <742F6E03752F334487E2607E00778CE9@ukerna.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "abfab@ietf.org" <abfab@ietf.org>, 'Sam Hartman' <hartmans-ietf@mit.edu>
Subject: Re: [abfab] EAP naming attribute document
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 09:23:58 -0000
>My bad - I meant to type -- What happens if AAA transports back two >different SAML assertions. I am still getting statement and assertion >confused. A statement is basically a strongly typed value. An assertion is an envelope for >0 statements that provides the rest of the context; who does those statements describe, who is making the claim, how long is this claim valid for, etc. >What I am looking at is draft-howlett-radius-saml-attr, it is currently >documented as saying that all of the data bytes of all of the Radius >packets >in a AAA message are concatenated together. This means that it is not >possible for two SAML assertions to be returned (successful) in that the >second one would be appended to the first one and you would basically have >two XML constructs concatenated. One could either modify that draft or >modify the XML parsing code to deal with two SAML assertions being >returned >but that is not presently stated. Thus I believe that only one (the >first) >would be successfully found and parsed under today's specifications. draft-howlett-radius-saml-attr transports SAML protocol messages. A single protocol message can certainly contain >1 assertion. >However (Scott please help me here), in Beijing I was informed that for >the >use case that I had it would be possible for the IDP to next a SAML >assertion from a different issuer within its own assertion. I don't know >the syntax that would be expected to ensue (but I really do want to know). It's certainly possible to do that using the <Advice> element (see 2.6.1 of SAMLCore). I don't know whether it makes sense for your use case. >> >> >> Jim> 5. Are we defining a property in the GSS EAP namespace that >> Jim> can contain the set of attributes that the service wants to >> Jim> have returned by the IDP? This could take the value of the >> Jim> SAML Request to be sent to the IDP. >> >> It's my understanding we are not currently doing that. >> I'd prefer to have someone say that they would implement before we spend >> energy specifying this. > >Plasma is probably going to want this as soon as we start implementations. >The current concept is that the service is going to ask the IdP for the >set >of attributes that it needs to evaluate the set of policies applied to a >message. The expectation is that one would not wish to send all >attributes >that might be needed to evaluate random policies in generation. You can trivially specify the required attributes in an <AttributeQuery> message issued by the RP to the IdP, using draft-howlett-radius-saml-attr. (The Moonshot GSS EAP implementation doesn't currently support an application to signal its attribute requirements, mainly because as Sam implies (I think) the GSS API doesn't currently support this; but a local AAA proxy that knew the application's requirement could inject this. I believe it would be better for the application to do this, though) >Additionally it is expected that SAML assertion issues might map >statements >from their space onto the service providers space. Thus this is something >that should become important to me quickly. I think that's an implementation issue. (FYI, the Moonshot implementation supports this; one of the benefits of using Scott's SP) Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
- [abfab] EAP naming attribute document Jim Schaad
- Re: [abfab] EAP naming attribute document Sam Hartman
- Re: [abfab] EAP naming attribute document Cantor, Scott
- Re: [abfab] EAP naming attribute document Jim Schaad
- Re: [abfab] EAP naming attribute document Josh Howlett
- Re: [abfab] EAP naming attribute document Josh Howlett
- Re: [abfab] EAP naming attribute document Luke Howard
- Re: [abfab] EAP naming attribute document Sam Hartman
- Re: [abfab] EAP naming attribute document Luke Howard
- Re: [abfab] EAP naming attribute document Leif Johansson
- Re: [abfab] EAP naming attribute document Sam Hartman
- Re: [abfab] EAP naming attribute document Jim Schaad
- Re: [abfab] EAP naming attribute document Sam Hartman
- Re: [abfab] EAP naming attribute document Sam Hartman
- [abfab] EAP naming attribute document Jim Schaad
- Re: [abfab] EAP naming attribute document Josh Howlett
- Re: [abfab] EAP naming attribute document Josh Howlett
- Re: [abfab] EAP naming attribute document Sam Hartman
- Re: [abfab] EAP naming attribute document Josh Howlett
- Re: [abfab] EAP naming attribute document Jim Schaad
- Re: [abfab] EAP naming attribute document Jim Schaad
- Re: [abfab] EAP naming attribute document Josh Howlett
- Re: [abfab] EAP naming attribute document Gabriel López
- Re: [abfab] EAP naming attribute document Sam Hartman
- Re: [abfab] EAP naming attribute document Josh Howlett