[abfab] New text for section 4.3.3 and 4.3.4 of draft-ietf-abfab-aaa-saml

Alejandro Pérez Méndez <alex@um.es> Tue, 28 July 2015 09:22 UTC

Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62D7F1A8826 for <abfab@ietfa.amsl.com>; Tue, 28 Jul 2015 02:22:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.412
X-Spam-Level:
X-Spam-Status: No, score=-1.412 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, J_CHICKENPOX_26=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5qsopFv7mZhz for <abfab@ietfa.amsl.com>; Tue, 28 Jul 2015 02:22:28 -0700 (PDT)
Received: from xenon23.um.es (xenon23.um.es [155.54.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id A82D01A8821 for <abfab@ietf.org>; Tue, 28 Jul 2015 02:22:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon23.um.es (Postfix) with ESMTP id 4F5A42520 for <abfab@ietf.org>; Tue, 28 Jul 2015 11:22:26 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon23.um.es
Received: from xenon23.um.es ([127.0.0.1]) by localhost (xenon23.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id heb8L4FCFUsF for <abfab@ietf.org>; Tue, 28 Jul 2015 11:22:26 +0200 (CEST)
Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon23.um.es (Postfix) with ESMTPSA id 1E36B251E for <abfab@ietf.org>; Tue, 28 Jul 2015 11:22:25 +0200 (CEST)
To: "abfab@ietf.org" <abfab@ietf.org>
From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= <alex@um.es>
Message-ID: <55B749D0.7070501@um.es>
Date: Tue, 28 Jul 2015 11:22:24 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/iGXAGp95gYjJ0_ZqOif2-aDe0LA>
Subject: [abfab] New text for section 4.3.3 and 4.3.4 of draft-ietf-abfab-aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 09:22:31 -0000

Dear all,

at the end of this email you might find an updated text for sections 
"4.3.3 Mapping of AAA names in SAML metadata" and "4.3.4 Example of SAML 
metadata including AAA names" of our draft-ietf-abfab-aaa-saml, which I 
believe contains the decisions we agreed in the last ABFAB session in 
Prague, and in the subsequent discussion on the mailing list.

This updated proposal defines new elements of type xs:string within the 
RADIUSIDPDescriptor and RADIUSRPDescriptor elements, to describe AAA 
naming. This should remove the need for a general RADIUS URI scheme. 
Note that the RADIUSIDPService and RADIUSRPService elements, of type 
EndpointType, have been preserved in prevision of a future use.

Comments, suggestions, etc. are welcome.

Regards,
Alejandro


4.3.3.  Mapping of AAA names in SAML metadata

    This section defines the extensions to the SAML metadata
    specification [OASIS.saml-metadata-2.0-os] that are required in order
    to represent AAA names associated to a particular <EntityDescriptor>
    element.

    In SAML metadata, each single entity may act in many different roles
    in the support of multiple profiles.  This document defines two new
    roles: RADIUS IDP and RADIUS RP, requiring the declaration of two new
    subtypes of RoleDescriptorType: RADIUSIDPDescriptor and
    RADIUSRPDescriptor.  These subtypes define the additional elements
    required to represent AAA names for IDP and RP entities respectively.

4.3.3.1.  <RADIUSIDPDescriptor>

    The <RADIUSIDPDescriptor> element extends RoleDescriptorType with
    elements common to IdPs that support RADIUS.  Its
    RADIUSIDPDescriptorType complex type contains the following
    additional elements:

    <RADIUSIDPService> [Zero or More]  Zero or more elements of type
       EndpointType that describe RADIUS endpoints that are associated to
       this Entity.

    <RADIUSRealm> [Zero or More]  Zero or more elements of type xs:string
       that represent the acceptable values of the RADIUS realm
       associated to this Entity, obtained from the realm part of RADIUS
       User-Name attribute.

    The following schema fragment defines the <RADIUSIDPDescriptor>
    element and its RADIUSIDPDescriptorType complex type:

       <element name="RADIUSIDPDescriptor"
                type="md:RADIUSIDPDescriptorType"/>
           <complexType name="RADIUSIDPDescriptorType">
               <complexContent>
                   <extension base="md:RoleDescriptorType">
                       <sequence>
                           <element ref="md:RADIUSIDPService"
                                    minOccurs="0" maxOccurs="unbounded"/>
                           <element ref="md:RADIUSRealm"
                                    minOccurs="0" maxOccurs="unbounded"/>
                       </sequence>
                   </extension>
               </complexContent>
           </complexType>
       <element name="RADIUSIDPService" type="md:EndpointType"/>
       <element name="RADIUSRealm" type="xs:string"/>

                    Figure 3: RADIUSIDPDescriptor schema

4.3.3.2.  <RADIUSRPDescriptor>

    The <RADIUSRPDescriptor> element extends RoleDescriptorType with
    elements common to RPs that support RADIUS.  Its
    RADIUSRPDescriptorType complex type contains the following additional
    elements:

    <RADIUSRPService> [Zero or More]  Zero or more elements of type
       EndpointType that describe RADIUS endpoints that are associated to
       this Entity.

    <RADIUSNasIpAddress> [Zero or More]  Zero or more elements of type
       xs:string that represent the acceptable values of the RADIUS NAS-
       IP-Address attribute associated to this Entity.

    <RADIUSNasIdentifier> [Zero or More]  Zero or more elements of type
       xs:string that represent the acceptable values of the RADIUS NAS-
       Identifier attribute associated to this Entity.

    <RADIUSGssEapName> [Zero or More]  Zero or more elements of type
       xs:string that represent the acceptable values of the GSS-EAP
       acceptor name associated to this Entity.  The format for this name
       is described in section 3.1 of [RFC7055], while section 3.4
       describes how that name is decomposed and transported using RADIUS
       attributes.

    The following schema fragment defines the <RADIUSRPDescriptor>
    element and its RADIUSRPDescriptorType complex type:

       <element name="RADIUSRPDescriptor"
                type="md:RADIUSRPDescriptorType"/>
           <complexType name="RADIUSRPDescriptorType">
               <complexContent>
                   <extension base="md:RoleDescriptorType">
                       <sequence>
                           <element ref="md:RADIUSRPService"
                                    minOccurs="0" maxOccurs="unbounded"/>
                           <element ref="md:RADIUSNasIpAddress"
                                    minOccurs="0" maxOccurs="unbounded"/>
                           <element ref="md:RADIUSNasIdentifier"
                                    minOccurs="0" maxOccurs="unbounded"/>
                           <element ref="md:RADIUSGssEapName"
                                    minOccurs="0" maxOccurs="unbounded"/>
                       </sequence>
                   </extension>
               </complexContent>
           </complexType>
       <element name="RADIUSRPService" type="md:EndpointType"/>
       <element name="RADIUSNasIpAddress" type="xs:string"/>
       <element name="RADIUSNasIdentifier" type="xs:string"/>
       <element name="RADIUSGssEapName" type="xs:string"/>

                     Figure 4: RADIUSRPDescriptor schema

4.3.4.  Example of SAML metadata including AAA names

    The following figures illustrate an example of metadata including AAA
    names for and IDP and a RP respectively.  The IDP's SAML name is
    "https://IdentityProvider.com/", whereas its RADIUS realm is
    "idp.com".  The RP's SAML name is "https://RelyingParty.com/SAML",
    being its GSS-EAP acceptor name "nfs/fileserver.rp.com@RP.COM".COM".

      <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://IdentityProvider.com/SAML">
          <RADIUSIDPDescriptor protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
              <RADIUSRealm>
                  idp.com
              </RADIUSRealm>
          </RADIUSIDPDescriptor>
      </EntityDescriptor>

                       Figure 5: Metadata for the IDP

      <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://RelyingParty.com/SAML">
          <RADIUSRPDescriptor protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
              <RADIUSGssEapName>
                  nfs/fileserver.rp.com@RP.COM
              </RADIUSGssEapName>
          </RADIUSRPDescriptor>
      </EntityDescriptor>

                        Figure 6: Metadata for the RP