[abfab] New text for section 4.3.3 and 4.3.4 of draft-ietf-abfab-aaa-saml
Alejandro Pérez Méndez <alex@um.es> Tue, 28 July 2015 09:22 UTC
Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62D7F1A8826 for <abfab@ietfa.amsl.com>; Tue, 28 Jul 2015 02:22:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.412
X-Spam-Level:
X-Spam-Status: No, score=-1.412 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, J_CHICKENPOX_26=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5qsopFv7mZhz for <abfab@ietfa.amsl.com>; Tue, 28 Jul 2015 02:22:28 -0700 (PDT)
Received: from xenon23.um.es (xenon23.um.es [155.54.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id A82D01A8821 for <abfab@ietf.org>; Tue, 28 Jul 2015 02:22:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon23.um.es (Postfix) with ESMTP id 4F5A42520 for <abfab@ietf.org>; Tue, 28 Jul 2015 11:22:26 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon23.um.es
Received: from xenon23.um.es ([127.0.0.1]) by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id heb8L4FCFUsF for <abfab@ietf.org>; Tue, 28 Jul 2015 11:22:26 +0200 (CEST)
Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon23.um.es (Postfix) with ESMTPSA id 1E36B251E for <abfab@ietf.org>; Tue, 28 Jul 2015 11:22:25 +0200 (CEST)
To: "abfab@ietf.org" <abfab@ietf.org>
From: Alejandro Pérez Méndez <alex@um.es>
Message-ID: <55B749D0.7070501@um.es>
Date: Tue, 28 Jul 2015 11:22:24 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/iGXAGp95gYjJ0_ZqOif2-aDe0LA>
Subject: [abfab] New text for section 4.3.3 and 4.3.4 of draft-ietf-abfab-aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 09:22:31 -0000
Dear all, at the end of this email you might find an updated text for sections "4.3.3 Mapping of AAA names in SAML metadata" and "4.3.4 Example of SAML metadata including AAA names" of our draft-ietf-abfab-aaa-saml, which I believe contains the decisions we agreed in the last ABFAB session in Prague, and in the subsequent discussion on the mailing list. This updated proposal defines new elements of type xs:string within the RADIUSIDPDescriptor and RADIUSRPDescriptor elements, to describe AAA naming. This should remove the need for a general RADIUS URI scheme. Note that the RADIUSIDPService and RADIUSRPService elements, of type EndpointType, have been preserved in prevision of a future use. Comments, suggestions, etc. are welcome. Regards, Alejandro 4.3.3. Mapping of AAA names in SAML metadata This section defines the extensions to the SAML metadata specification [OASIS.saml-metadata-2.0-os] that are required in order to represent AAA names associated to a particular <EntityDescriptor> element. In SAML metadata, each single entity may act in many different roles in the support of multiple profiles. This document defines two new roles: RADIUS IDP and RADIUS RP, requiring the declaration of two new subtypes of RoleDescriptorType: RADIUSIDPDescriptor and RADIUSRPDescriptor. These subtypes define the additional elements required to represent AAA names for IDP and RP entities respectively. 4.3.3.1. <RADIUSIDPDescriptor> The <RADIUSIDPDescriptor> element extends RoleDescriptorType with elements common to IdPs that support RADIUS. Its RADIUSIDPDescriptorType complex type contains the following additional elements: <RADIUSIDPService> [Zero or More] Zero or more elements of type EndpointType that describe RADIUS endpoints that are associated to this Entity. <RADIUSRealm> [Zero or More] Zero or more elements of type xs:string that represent the acceptable values of the RADIUS realm associated to this Entity, obtained from the realm part of RADIUS User-Name attribute. The following schema fragment defines the <RADIUSIDPDescriptor> element and its RADIUSIDPDescriptorType complex type: <element name="RADIUSIDPDescriptor" type="md:RADIUSIDPDescriptorType"/> <complexType name="RADIUSIDPDescriptorType"> <complexContent> <extension base="md:RoleDescriptorType"> <sequence> <element ref="md:RADIUSIDPService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:RADIUSRealm" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="RADIUSIDPService" type="md:EndpointType"/> <element name="RADIUSRealm" type="xs:string"/> Figure 3: RADIUSIDPDescriptor schema 4.3.3.2. <RADIUSRPDescriptor> The <RADIUSRPDescriptor> element extends RoleDescriptorType with elements common to RPs that support RADIUS. Its RADIUSRPDescriptorType complex type contains the following additional elements: <RADIUSRPService> [Zero or More] Zero or more elements of type EndpointType that describe RADIUS endpoints that are associated to this Entity. <RADIUSNasIpAddress> [Zero or More] Zero or more elements of type xs:string that represent the acceptable values of the RADIUS NAS- IP-Address attribute associated to this Entity. <RADIUSNasIdentifier> [Zero or More] Zero or more elements of type xs:string that represent the acceptable values of the RADIUS NAS- Identifier attribute associated to this Entity. <RADIUSGssEapName> [Zero or More] Zero or more elements of type xs:string that represent the acceptable values of the GSS-EAP acceptor name associated to this Entity. The format for this name is described in section 3.1 of [RFC7055], while section 3.4 describes how that name is decomposed and transported using RADIUS attributes. The following schema fragment defines the <RADIUSRPDescriptor> element and its RADIUSRPDescriptorType complex type: <element name="RADIUSRPDescriptor" type="md:RADIUSRPDescriptorType"/> <complexType name="RADIUSRPDescriptorType"> <complexContent> <extension base="md:RoleDescriptorType"> <sequence> <element ref="md:RADIUSRPService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:RADIUSNasIpAddress" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:RADIUSNasIdentifier" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:RADIUSGssEapName" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="RADIUSRPService" type="md:EndpointType"/> <element name="RADIUSNasIpAddress" type="xs:string"/> <element name="RADIUSNasIdentifier" type="xs:string"/> <element name="RADIUSGssEapName" type="xs:string"/> Figure 4: RADIUSRPDescriptor schema 4.3.4. Example of SAML metadata including AAA names The following figures illustrate an example of metadata including AAA names for and IDP and a RP respectively. The IDP's SAML name is "https://IdentityProvider.com/", whereas its RADIUS realm is "idp.com". The RP's SAML name is "https://RelyingParty.com/SAML", being its GSS-EAP acceptor name "nfs/fileserver.rp.com@RP.COM". <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://IdentityProvider.com/SAML"> <RADIUSIDPDescriptor protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> <RADIUSRealm> idp.com </RADIUSRealm> </RADIUSIDPDescriptor> </EntityDescriptor> Figure 5: Metadata for the IDP <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://RelyingParty.com/SAML"> <RADIUSRPDescriptor protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> <RADIUSGssEapName> nfs/fileserver.rp.com@RP.COM </RADIUSGssEapName> </RADIUSRPDescriptor> </EntityDescriptor> Figure 6: Metadata for the RP
- [abfab] New text for section 4.3.3 and 4.3.4 of d… Alejandro Pérez Méndez
- Re: [abfab] New text for section 4.3.3 and 4.3.4 … Sam Hartman
- Re: [abfab] New text for section 4.3.3 and 4.3.4 … Alejandro Pérez Méndez