Re: [abfab] Direction Forward for aaa-saml

"Cantor, Scott" <cantor.2@osu.edu> Wed, 22 July 2015 14:25 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB3B1A8886 for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 07:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7c5Qe_iGGZK for <abfab@ietfa.amsl.com>; Wed, 22 Jul 2015 07:25:07 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0118.outbound.protection.outlook.com [207.46.100.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44B641A21C4 for <abfab@ietf.org>; Wed, 22 Jul 2015 07:25:07 -0700 (PDT)
Received: from BL2FFO11FD036.protection.gbl (10.173.160.32) by BL2FFO11HUB015.protection.gbl (10.173.160.107) with Microsoft SMTP Server (TLS) id 15.1.213.8; Wed, 22 Jul 2015 14:25:06 +0000
Authentication-Results: spf=pass (sender IP is 164.107.81.214) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.214 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.214; helo=cio-krc-pf07.osuad.osu.edu;
Received: from cio-krc-pf07.osuad.osu.edu (164.107.81.214) by BL2FFO11FD036.mail.protection.outlook.com (10.173.161.132) with Microsoft SMTP Server (TLS) id 15.1.213.8 via Frontend Transport; Wed, 22 Jul 2015 14:25:05 +0000
Received: from CIO-KRC-HT04.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-krc-pf07.osuad.osu.edu (Postfix) with ESMTPS id 3067750006C; Wed, 22 Jul 2015 10:25:05 -0400 (EDT)
Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT04.osuad.osu.edu ([fe80::2d93:5c00:ad4e:861d%10]) with mapi id 14.03.0224.002; Wed, 22 Jul 2015 10:25:04 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: Sam Hartman <hartmans@painless-security.com>, Leif Johansson <leifj@mnt.se>
Thread-Topic: [abfab] Direction Forward for aaa-saml
Thread-Index: AQHQxGSsqOsHJ1Kgwk2OrlaTR/AXL53nh1QA//++aH6AAGzxgP//w3wRgAAVdYA=
Date: Wed, 22 Jul 2015 14:25:03 +0000
Message-ID: <0A08B89E-5533-4E34-9014-97C0D7877B6E@osu.edu>
References: <tslwpxsy0ql.fsf@mit.edu> <8E4E5965-0E43-4ABD-8853-8A6C7C6926C5@mnt.se> <tsloaj4xzvr.fsf@mit.edu> <0B96365A-4F6B-427A-9A87-70F069473F84@mnt.se> <tsl7fpsxrve.fsf@mit.edu>
In-Reply-To: <tsl7fpsxrve.fsf@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [75.179.164.143]
Content-Type: text/plain; charset="utf-8"
Content-ID: <43FE8F36E354924094037F2ECEF3E12D@osu.edu>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11FD036; 1:nlnenS5vKBFF6acgwSITYJb2zpkupaBYoWGKIkt+StleOiEALTyo54KgMioZkT3cUj83GxdEROIdfNmjK4o9UNGa51u2biknOPi9z40SWMD7Ane86o4z5skYFd3d4z62FR6XinKWvFKAIc9d4GP7UvKZyp6strsloEhVy4G3rVR1ZteYpRU+eYWzjLEr3aafxioBpraADVvBxaXhAYnByCiWrGNu6KJ6rAXsH18hGDXkNCgoW7RfYOXF897fnwR9Aaol1+kWkj7xJrwqThiV73R/0JMIVRPJkboz9jwy3ynpHjrqCJBgdRMS8FRHFKsbJhE6NTY7CQM1k9t5DJyhwZS1bglRNSpnGXra02cQpDqLJOYBC/OaIyLsv+9PEG4EaFu9HFYjJrXzKIRw1FLmDMYqVPGX5boNOZUd6DbvlpM=
X-Forefront-Antispam-Report: CIP:164.107.81.214; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(24454002)(377454003)(199003)(479174004)(189002)(19580405001)(76176999)(46102003)(50986999)(106466001)(2950100001)(109096001)(106116001)(87936001)(102836002)(93346002)(189998001)(47776003)(23676002)(6806004)(36756003)(54356999)(2900100001)(77156002)(19580395003)(82746002)(86362001)(33656002)(5003600100002)(89122001)(5250100002)(2656002)(66066001)(90282001)(62966003)(50466002)(88552001)(92566002)(5001770100001)(75432002)(83716003)(93886004)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2FFO11HUB015; H:cio-krc-pf07.osuad.osu.edu; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB015; 2:lcV7ZcpxPC3Yq6sBTxiD1Q5fgMoTF5bDQXC8CUn3ee9EuDXGGmzBMIs/3CWV1cKF; 3:blgUZmRuMZpE3tRyHMSOUN/9xVyIiQ1ab3UGsmM9YgRKlQA4x6IlDWYbQL8kV/8+nExOMXK11Ws0dnvebD8ZPXbW8qwA3heCn0qmEdzFs0UwAGmprTHAuvx0lmViBtg8KOFUSaKtW6TaojBzCoQ4spxlmQzAdBwuNtBTPeONC0jLLxdpt7AitY8rodDF9Px4dUEJxLbKBc9DcZhN2biO+N2RSVhURsmm2N+Gp4fhPae6x18jm1ujk6KUcO4bw0l/; 25:Amkiz2uT26MPXvE0itE5arYh+VakqAXhcIYvuKaORkFxHr1kjAsBTlSG27FQUQfhq3cBQz+aEVhyb75aE7txbxTtAM0JEBs96zknXkA2DI4aOLc82snQXa6iEiC6Je7345xF3bPLYD4A2aU/Z9AY+ZyR++KlHHdV3wti6BJJXw4grzchTd3lXE4DSnNdw+NcK+WdNDbk9DA3WY79LF53fxg50ntqXkC6ItrMwio1+jBoAEey7R3s7dsTxUHgypmNbSKcpLpR+fIRnq4IMOq8nQ==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2FFO11HUB015;
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB015; 20:CKDOFbF75187Q1sqR71C+8hq4kOQLH5mrVsGqat584armF+eqAXspvcMTABuwAQF7jbSW0ykUORbCuDyv8ZLUrCQNeAZL/aFrmRunbjMannKWvDvIAWQaG2dssIkeDJovjVmvH8PXogqpASi2gIx8aJaFaRU7ni8N05plnkMvGjbOuyecIfmJlt2o52Br0oaxOFsOSVPVXmmsO3pxdVEUAtc9hfoZruFNmfS+1qgIw/ISbp4TW0jeqpUARS1oQtAEbz9uTv5FYeDoqvbUXbB6B5Xtqhvu69HOtfTnLAEVO44AGP1IF8nP9KpjNg8RE2QlxFMk7Dv0+UiKdwaPKpqgee6X4BukbUX4/xGpWDtZKTR8qcTJ9g0eyuyxIFPK9ugWFJId0PUA9OrVF/RRk5R6EhBmcrcjmYtD8WsgES9GQNpn6LJ2Iqe3+7G6xiUW7c7Y9XJIg+LO5+zJAZYP+jhTGBQcW79ks8YmgwzzONNZIm++tV8PTgeOgRYAslxGT+H; 4:sxXVRX//87nxKpZ4zBsiodlw1Cc1eSQXRY4xFhn4bMv5Z16OrkvIyxpgY+WNGIedhlGrqrUwfXOT27o8QtYnoAPqlDDh8p8nNC9e8gk7CtNKMrlXZ2iN3J4H+JJjV24MoZGe2F/b9uj07K86YJYXFOqimldalswFZG2v8tuDbEXfs/uPw+XMryhch8/tU261iXL51E+H6uQFLL60SeAkjxtg4C7NXrj2lU4XajD2dG1Tp0PdG+CC8skmipRNza2ZLX10pPM2drQ9X1OoNAepgFSPLDJNxSM2PWIBXB6RgNY=
BL2FFO11HUB015: X-MS-Exchange-Organization-RulesExecuted
X-Microsoft-Antispam-PRVS: <BL2FFO11HUB0153CA9E803CE698D4B170CD0830@BL2FFO11HUB015.protection.gbl>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BL2FFO11HUB015; BCL:0; PCL:0; RULEID:; SRVR:BL2FFO11HUB015;
X-Forefront-PRVS: 0645BEB7AA
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTDJGRk8xMUhVQjAxNTsyMzp2ZGtUM1hhM3QxaUNOMmJPT0VNNDhzS21a?= =?utf-8?B?c0FUbndsOXpQQXgramltWW4raE5TWTFhWUpGdGJHUWF6S2o2b0hoeGo0bjBB?= =?utf-8?B?eklqMVJpaUZieGRlWXZTUGgzWDRSK1V0VnNIejh2U1JxTThyTXpLNUVXVW5s?= =?utf-8?B?bnBIamdmMGY3VWpNRnFmQTM2Vmg2T0ZtbXJOK2I0MDF6SHRxSUxvbGtvSkNr?= =?utf-8?B?TUwvcG9Pd0hrWVRoNjl4U2dCUlUyZzBZZTJDS2UxV25IQmdsZXNuSUVEN0o4?= =?utf-8?B?aFU1cDhsQ3dLcGxkSjBRcnhzYzRPUy9vK1hEOEs1VDlzWk1MQjIyUjZUb1o5?= =?utf-8?B?dmZ0aHcxV1VuaHI4d1E5ZzhrcHBMUm1SR2ZTT2NNanl6dDVOMEVab1BRSkRa?= =?utf-8?B?VnN0WjZBL2NmL243ZDJpUTAyaVhzenV1eUNDWnJHQlJsaDlKTDUrUmlXVGFi?= =?utf-8?B?WEcvM1FXWjBJdGlmd2RPYzdqbnpMSVBSU0pDakVkclJ6KzVGYVdPQjZMQmNE?= =?utf-8?B?TmY5ZU1BSy9JMnR6cWVCQWhxREo5dk93Z2tMMmFQWFRZOUdFdi90UzE5aVY1?= =?utf-8?B?RElPZkhNamlpRTBZeEJjZ2F4c0FxajZvN1ZtS1hYa0Erc08zdTVPMXEzZXpp?= =?utf-8?B?SkFsQm42a3NTaFppSUYvUVdXWERQN0V5dWgzdlJESXdFYUlHV3ZPRm1ST1Bt?= =?utf-8?B?Z1g1ZE5kdkc4dmF0dG9DT1RvYnZlV2dhNk9kbkpHZWZ5ajd0Qko2NzMzc2x0?= =?utf-8?B?U3pTY1Z0VVBxQit5cmh0ejZDREZmYmhrRXdPNnd2dEMwb0dMTk5DbnBkTENK?= =?utf-8?B?N1MxaVFjOWJKbHJkUksvbEhiUXRiYnZ4bjdiZ2VqTGJxRk9tZlNja2ZFak1F?= =?utf-8?B?RlptTFl3T2RUZUlHUTJxdkJvN3hnZURKQU9GdXJaVXh2L1NlYXV4R3htajFU?= =?utf-8?B?aDdhUlcvTm4yY21MdzJBWkdMNUxJT05udWt1bXF1RFQvZEl2NmtoRHRMZUpR?= =?utf-8?B?VzljSFJyL1pvNlgrNnNyaDNJQ0k5TmZyYnljVkV2b3V0MkpUUEFTTGlwditw?= =?utf-8?B?dUhydjd1WUhPVUNzSmlzcGRSZVpWaDhyYytMR2Y1ZlNneGdCM1M5RkdSSW1R?= =?utf-8?B?bmdqeFJqRytJNVYyWGRtUjlaSFJaUHJBZEt6ZHVzaHd6ZG5LSjdZek10cTBI?= =?utf-8?B?bjBvVW9lbE1pL0tmSjZWczVjWXRPL3ZuUnJIZ1l1Wlk1NUpzemc0eHJaekc1?= =?utf-8?B?Q3JpSWFuWGZlb0t2dTZjcmV5ejVsMVJUUHI4N0pnTmZPKzJHZCtTOWNyS0k0?= =?utf-8?B?bmZBWGNUSlBPN0pMV1ZzVjUydkVsUE93S1c1UVcrcGZqUjFQbjBuN3Z1RFJP?= =?utf-8?B?QUc0Qk9sM3ZHWG8xRFM4enVadnREaFY1WVJTdkExWUFDZU5yY0U3SGFUTGNv?= =?utf-8?B?SDVqUVZzN3JOQ2tYY1JiNlVnajQxdTZNTzBqV0lXdGN1ZGxOdlFOcTV3T2Nj?= =?utf-8?B?TTZQcHladFU1WGUxVVBaNFpROGRPTHk3aTVwUmNsYVg0VmRDdmJjTWJHeUNp?= =?utf-8?B?c2lhazdXeFN4MlNyWHNGVmxPOUF4NjRNWWNORkVlbVRvRjE4TzJvUUVMbWxn?= =?utf-8?Q?=3D?=
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB015; 5:UWckdrIdD2UeT0tME8GI1AAKWPvx1zO/41YBCYoLdMjZc8rrOSqijJeJ5x6JKVbmLJkeqxbkbeWbiqhUs2SqDN+ruOFZ+Z/fMfIhmqfNRu4rQoYkgh+Vo6Zvmhr18tUhb1dPJs6yZ8c3bWfX7VZFxQ==; 24:Z/xcxk8y32ScVKmFxjqsNIsSuUMkHFItOftn6kw3L5podKgECjLcELLGl01LtI4bR1Zh4CYCh6MVABfUXZE+ATqKocu4l98OlqK1iEOOurs=
X-OriginatorOrg: osu.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2015 14:25:05.7818 (UTC)
X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.214]; Helo=[cio-krc-pf07.osuad.osu.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2FFO11HUB015
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/sjXvTWzyIm0HUezdDVNj0R11f88>
Cc: "abfab@ietf.org" <abfab@ietf.org>
Subject: Re: [abfab] Direction Forward for aaa-saml
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 14:25:13 -0000

On 7/22/15, 9:07 AM, "abfab on behalf of Sam Hartman" <abfab-bounces@ietf.org on behalf of hartmans@painless-security.com> wrote:


>
>I think you'd need to:
>
>1) Explain how I figure out which entity I'm using for my RADIUS server

If by "entity" you mean SAML metadata entity, you have to do that regardless if you do anything with metadata, that's the basis of the design. You don't have to necessarily be able to map directly from a PDU to an entity via an explicit "issuer" notion in a protocol, but it sure helps.

>Consider this especially in a case where you're retrieving metadata
>dynamically rather than just having all the metadata in the world.

That's orthogonal to any use of SAML metadata. How you get it (and verify it) is architecturally distinct from what it means and how it's used.

-- Scott