[abfab] Naming of SAML and AAA systems
Josh Howlett <Josh.Howlett@ja.net> Tue, 11 June 2013 13:52 UTC
Return-Path: <Josh.Howlett@ja.net>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1353421F99FA for <abfab@ietfa.amsl.com>; Tue, 11 Jun 2013 06:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68CotQjHeD0q for <abfab@ietfa.amsl.com>; Tue, 11 Jun 2013 06:52:27 -0700 (PDT)
Received: from egw001.ukerna.ac.uk (egw001.ukerna.ac.uk [194.82.140.74]) by ietfa.amsl.com (Postfix) with ESMTP id 77F5E21F99FB for <abfab@ietf.org>; Tue, 11 Jun 2013 06:52:25 -0700 (PDT)
Received: from egw001.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 0DF43204184E_1B72B98B for <abfab@ietf.org>; Tue, 11 Jun 2013 13:52:24 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw001.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 136102041847_1B72B97F for <abfab@ietf.org>; Tue, 11 Jun 2013 13:52:23 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Tue, 11 Jun 2013 14:52:22 +0100
From: Josh Howlett <Josh.Howlett@ja.net>
To: "abfab@ietf.org" <abfab@ietf.org>
Thread-Topic: Naming of SAML and AAA systems
Thread-Index: AQHOZqrlNQobE6KmnEeECspOwbUWYw==
Date: Tue, 11 Jun 2013 13:52:22 +0000
Message-ID: <CDDCEA1B.1F018%Josh.Howlett@ja.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
x-originating-ip: [194.82.140.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <8922EDE9D890F940A650079A4C1872CD@ukerna.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [abfab] Naming of SAML and AAA systems
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2013 13:52:34 -0000
I'm currently updating abfab-aaa-saml. The document is a bit unambiguous about the naming of system entities, specifically: 1. There is no attempt to correlate the AAA and SAML entity naming (the transport and message levels respectively). I believe that we need a naming convention such that it is trivial to reliably infer a system entity's AAA or SAML name, given the other name. 2. We don't yet have a mechanism for naming the functional roles of SAML entities within a realm, which I believe is needed to satisfy the attribute request and aggregation use cases. For example, an acceptor wanting additional attributes for an authenticated user from realm Foo from another attribute authority in realm Bar. Here's my proposal: * A SAML system names itself using an entity identifier is a URI that encodes the AAA system's FQDN. For example "abfab:idp.example.com" and "abfab:rp.example.com" would name two hosts with FQDNs of idp.example.com and rp.example.com. For an RP, this entity identifier value (less the abfab prefix) will therefore be equal to the value of the GSS-Acceptor-Host-Name RADIUS attribute. It is worth noting that section 4.3 of RFC3588 specifies a URI scheme for AAA protocols, but it looks a bit elaborate for what we need (and possibly not complete, given the RADIUS transport options today). Irrespective of the convention we choose, RADIUS entities emitting SAML messages MUST use it. * SAML system entities are able to locate SAML entities within other realms using RADIUS by using well-known values for the user fragment of the NAI. For example, a relying party would resolve an attribute authority in realm by using an NAI with value "abfab:aa@example.com". This might return a SAML assertion issued by an entity named "abfab:idp.example.com". Similarly an authorisation PDP might be resolved using "abfab:pdp@example.com". Opinions? Josh. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- [abfab] Naming of SAML and AAA systems Josh Howlett
- Re: [abfab] Naming of SAML and AAA systems David Chadwick
- Re: [abfab] Naming of SAML and AAA systems Jim Schaad
- Re: [abfab] Naming of SAML and AAA systems David Chadwick
- Re: [abfab] Naming of SAML and AAA systems Sam Hartman
- Re: [abfab] Naming of SAML and AAA systems Leif Johansson
- Re: [abfab] Naming of SAML and AAA systems Sam Hartman
- Re: [abfab] Naming of SAML and AAA systems Leif Johansson
- Re: [abfab] Naming of SAML and AAA systems Jim Schaad
- Re: [abfab] Naming of SAML and AAA systems Josh Howlett
- Re: [abfab] Naming of SAML and AAA systems Leif Johansson