IETF Logo Mail Archive

Re: [Id-event] SAML subject identifier type

Atul Tulshibagwale <atultulshi@google.com> Tue, 14 July 2020 23:31 UTC

Return-Path: <atultulshi@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D13DF3A0657 for <id-event@ietfa.amsl.com>; Tue, 14 Jul 2020 16:31:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.588
X-Spam-Level:
X-Spam-Status: No, score=-17.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pFOHcBuACXhX for <id-event@ietfa.amsl.com>; Tue, 14 Jul 2020 16:31:07 -0700 (PDT)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 551953A0745 for <id-event@ietf.org>; Tue, 14 Jul 2020 16:31:07 -0700 (PDT)
Received: by mail-yb1-xb34.google.com with SMTP id l19so259842ybl.1 for <id-event@ietf.org>; Tue, 14 Jul 2020 16:31:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=66iF+/hc0Q9qj4JiVgCrbHHqh/Jt1rZh2JRZVKrrxw4=; b=sTDSQJQR8Gd3IF7F2zWojjoqFhfus6eu0kDvsW1PCW7p7VDUEffqgmSFgQqT1uKjTM tsqQTCcLkM2Hv38U9TJtFw9wzyCU05wzoqSHi3M1XP+9w3XdFIZ4xv2zSdvj9KTki0wC 7WfXG78ufIIFryJRced77Mf/W6zthLlM5txBka7G+hcI++jhpiW8n/Ue4sRIkbzSj+kq R1bPO0paNd+2CuateBJx2632ypbzxu09MaOksHocDNIcT4eOinEM5FnOWPnAIw2dSdgC roU8zJokbce8YpWmkVLk1x+ySnga/tP1nyuHbcRV3u4m0oNaU4KKzFPq+LKcWyJyJzM/ E1Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=66iF+/hc0Q9qj4JiVgCrbHHqh/Jt1rZh2JRZVKrrxw4=; b=ZwPs881hbefiHYwiCYPe1yusIC3++mKZV8zAvPRJLtAoDQYT1vpLG6rMYi/DYAKai4 5C7gzdfJdrR8vM6Tso0f2bjahehH7s6AIvk6lB1KfMwJRPr2KEdti3O0Wv/ajnJTvwb3 AldMx3VR8dIa3k5Z8IIeAjCQYWsdELklfBhlyTxIcXJg+dn7mnqKBoFyMAx0e5o2LRrr eD4Q/7iMmQTpOoxN6VxWOmpbTCiNgmeSdSoFJB9Q7OLrIJP8IvXKLoA50u10nNoYvXEh 6nUh0GtntP3lQnWFX8e9PHu+1EbAC5pKtnf60K4dLVVCAGiBVcr7C7BUD11ER5GHpPdD D/RA==
X-Gm-Message-State: AOAM530m2goGDV8pFkih0RpxNZndcnxA8L2gVI7M8kgpptwRFe6TtORe tWxGiX19JtdlGQAeMB40jrvDOj4LovA034j4fYcHEg==
X-Google-Smtp-Source: ABdhPJyW17I4mXGEG8P2zhAq2f+pP5gdfeEE/YXuLrJ8H0fbYzioITaXE7riW/xE4ktLNXYgdLhiq/4gSE5cIk22heQ=
X-Received: by 2002:a25:b90e:: with SMTP id x14mr12596277ybj.8.1594769466120; Tue, 14 Jul 2020 16:31:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAMCkG5thP1JnyBn5qAK0TLqBoa-y53Qnoq=mf-NPLfzSF2U7VQ@mail.gmail.com> <5B3455F1-9F82-40C5-BE22-2E3B715A0CF1@canarie.ca> <CAMCkG5uSQzTGCmFn6DLeXVbA0B0wrcPou8CEjtCQ5BCp3M+eOw@mail.gmail.com> <CAMCkG5uff+WwMRLDr+Lph-TagtwL5jWORg5ruvWLOxkNBM2s0A@mail.gmail.com> <E7D14134-0210-4515-ACA3-2AB5CDDCBF34@gmail.com> <CAMCkG5t+7z7OOLdsD77zj_eM7eYf2wOTGTV9tg5S01FXgcHC0w@mail.gmail.com> <8B77A27C-D5B3-477A-BD0D-8B3D3B818BB0@gmail.com> <CA+k3eCQ+f78Ct59D45SyQ8MnCLbpf6665h48MKpyvBaAA-ezZg@mail.gmail.com>
In-Reply-To: <CA+k3eCQ+f78Ct59D45SyQ8MnCLbpf6665h48MKpyvBaAA-ezZg@mail.gmail.com>
From: Atul Tulshibagwale <atultulshi@google.com>
Date: Tue, 14 Jul 2020 16:30:54 -0700
Message-ID: <CAMCkG5ssFt2Dy-pbuuEch7KkBu+goNhSbfepx6dVxrUKChBRBw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, Chris Phillips <Chris.Phillips@canarie.ca>, "id-event@ietf.org" <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000087442c05aa6f335a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/8v9NfmU_m1LeqdFGAe6UF4Iqw3I>
Subject: Re: [Id-event] SAML subject identifier type
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 23:31:10 -0000

IMO if we have a common enough use-case that requires a specific type to be
defined, then we should define that type in the spec rather than rely on an
interpretation of the "iss-sub" type, since that interpretation can cause
incompatibilities.

In this specific case however I feel that the use cases outlined in my
previous email can be achieved (with limitations) using the durable subject
types such as email. I'd like the members of the SSE working group to chime
in (since that is where this got added), or we can drop the SAML subject
identifier type.

On Tue, Jul 14, 2020 at 4:09 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> + 1 to what Yaron is saying here. I'd include also the "iss-sub" subject
> identifier type
> https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-05#section-3.4
> as already having semantics covering what's described in the ID Token
> Claims Subject Identifier Type in the RISC document referenced. And all
> those things represent a durable subject rather than a session, which
> strikes me as appropriate for a document that describes identifying
> subjects. A SAML assertion ID, however, which is an identifier of an XML
> document that is only indirectly related to a session by an association
> that likely isn't maintained, does not seem appropriate as a "subject
> identifier".
>
> On Tue, Jul 14, 2020 at 4:01 PM Yaron Sheffer <yaronf.ietf@gmail.com>
> wrote:
>
>> Hi Atul,
>>
>>
>>
>> The ID Token subject type, as described in the document you are
>> referencing, does not add any semantics, compared to a “phone number” or
>> “email” subject type. So I don’t see the value in adding it.
>>
>>
>>
>> In addition, it does not, actually, describe an ID Token. In fact the
>> text is very clear that it describes a “subject” (a durable entity) rather
>> than a session, and does it by citing various claims included in the ID
>> token. So as a subject identifier type, it is not at all equivalent to a
>> SAML assertion.
>>
>>
>>
>> As to the SAML Assertion subject type, I think these use cases could be
>> addressed by adding information to the event.
>>
>>
>>
>> Thanks,
>>
>>                 Yaron
>>
>>
>>
>> *From: *Atul Tulshibagwale <atultulshi@google.com>
>> *Date: *Tuesday, July 14, 2020 at 23:26
>> *To: *Yaron Sheffer <yaronf.ietf@gmail.com>
>> *Cc: *Chris Phillips <Chris.Phillips@canarie.ca>, "id-event@ietf.org" <
>> id-event@ietf.org>
>> *Subject: *Re: [Id-event] SAML subject identifier type
>>
>>
>>
>> Hi Yaron,
>>
>> There are a few SSE use cases where the events are about a specific
>> single sign-on session. You're right that this should not be limited to
>> SAML. The RISC profile of SETs (based on which we are doing the SSE work)
>> had the ID Token subject identifier type, which for some reason is missing
>> in this spec (I did not realize until now). The specific events that need
>> to refer to sessions are:
>>
>>    - Identity provider context change: The conditions under which a SAML
>>    assertion or OIDC token was generated are no longer valid. This can be due
>>    to various things, including a password change.
>>    - Session property change: A session has been determined to have been
>>    compromised
>>    - Revocation: The issuer of the single sign-on SAML assertion or ID
>>    Token needs to be revoke
>>
>> I can also add the ID Token claim from the RISC profile
>> <https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt#lines-250>
>> to my pull request.
>>
>>
>>
>> Thanks,
>>
>> Atul
>>
>>
>>
>>
>>
>> On Tue, Jul 14, 2020 at 12:32 PM Yaron Sheffer <yaronf.ietf@gmail.com>
>> wrote:
>>
>> I need a lot more context here. So far, subject IDs have denoted durable
>> entities, such as email addresses, phone numbers, account. This is adding a
>> subject ID that denotes an ephemeral entity, basically similar to a session
>> ID. This looks weird from an architectural point of view, and also begs the
>> question, why specifically SAML and not other session types.
>>
>>
>>
>> Thanks,
>>
>>                 Yaron
>>
>>
>>
>> *From: *Id-event <id-event-bounces@ietf.org> on behalf of Atul
>> Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
>> *Date: *Tuesday, July 14, 2020 at 00:14
>> *To: *Chris Phillips <Chris.Phillips@canarie.ca>
>> *Cc: *"id-event@ietf.org" <id-event@ietf.org>
>> *Subject: *Re: [Id-event] SAML subject identifier type
>>
>>
>>
>> Just clarifying the proposal as it stands today (before incorporating
>> Chris's input):
>>
>> The following section should be added in the "Subject Identifier Types"
>> section:
>>
>> 4.9.  SAML Subject Identifier Type
>>
>>    The SAML [SAML.REF] Subject Identifier Type describes a subject by
>>    the assertion identifier in the SAML assertion that was used to
>>    convey the subject's information to the Receiver.  Subject
>>    Identifiers of this type MUST contain an ` assertion_id"claim.  The
>>    value of this claim is a string that is equal to the Assertion
>>    Identifier in the SAML assertion.  The SAML Subject Identifier Type
>>    is identified by the name "saml`.
>>
>>    Below is a non-normative example Subject Identifier for the SAML
>>    Subject Identifier Type:
>>
>>    {
>>      "subject_type": "saml",
>>      "assertion_id": "_f551d88963ab4e3decb7cfe8f4dcc3f5",
>>    }
>>
>>      Figure 8: Example: Subject Identifier for SAML Subject Identifier
>>                                    Type.
>>
>>
>>
>>
>>
>> On Mon, Jul 13, 2020 at 1:22 PM Atul Tulshibagwale <atultulshi@google.com>
>> wrote:
>>
>> Hi Chris,
>>
>> I was proposing using the "assertion id" (SAML Core
>> <http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf>
>> spec, line 553) in the proposal, not the "subject-id" as defined in SAML
>> (spec section 3.3). The main reason was to be able to refer to a session
>> that was established using a specific assertion. If it's useful, we could
>> perhaps extend the SAML subject identifier type in this spec to include
>> either the assertion_id or the subject_id claim.
>>
>>
>>
>> Thanks,
>>
>> Atul
>>
>>
>>
>>
>>
>> On Mon, Jul 13, 2020 at 10:30 AM Chris Phillips <
>> Chris.Phillips@canarie.ca> wrote:
>>
>> Hi.
>>
>> Quiet lurker observing..
>>
>> Thanks for consider the SAML elements..
>>
>>
>>
>> Atul, are you referring to the actual session identifier that someone may
>> have where the Subject-Id was exchanged OR the actual Subject-id itself in
>> your reference in the proposal with the github link?
>>
>>
>>
>> I’m trying to square what I see on the git delta on line 294-296 in
>> https://github..com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994
>> <https://github.com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994>
>>
>>
>>
>>
>>
>> And a Subject-id as shown in the example in 3.3.3 here:
>> https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097229
>> <https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1..0-cs01..html#_Toc536097229>
>>
>>
>>
>> What you offered in the example is not a Subject-id  per the OASIS SAML
>> spec as written in section 3.3.1
>>
>>
>>
>> Am I mis-interpreting something?
>>
>>
>>
>> C
>>
>>
>>
>>
>>
>> *From: *Id-event <id-event-bounces@ietf.org> on behalf of Atul
>> Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
>> *Date: *Monday, July 13, 2020 at 12:17 PM
>> *To: *"id-event@ietf.org" <id-event@ietf.org>
>> *Subject: *[Id-event] SAML subject identifier type
>>
>>
>>
>> Hi all,
>>
>> Based on the discussions in the SSE working group within the OpenID
>> Foundation, we would like to propose that the subject identifier
>> specification include a SAML subject identifier type. This is so that
>> sessions established across peers using SAML may be identified in events
>> that include the subject identifier.
>>
>>
>>
>>  A SAML subject identifier has only one claim within it, the assertion id
>> of the SAML assertion used to establish the single sign-on session.
>>
>>
>>
>> This change is also included in my proposal here
>> <https://github.com/richanna/secevent/pull/1>.
>>
>>
>>
>> Thanks,
>>
>> Atul
>>
>>
>>
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org
>> https://www.ietf.org/mailman/listinfo/id-event
>>
>> _______________________________________________ Id-event mailing list
>> Id-event@ietf.org https://www.ietf.org/mailman/listinfo/id-event
>>
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org
>> https://www.ietf.org/mailman/listinfo/id-event
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*

v2.23.0 | Report a Bug | By Email