IETF Logo Mail Archive

Re: [Id-event] SAML subject identifier type

Chris Phillips <Chris.Phillips@canarie.ca> Mon, 13 July 2020 17:30 UTC

Return-Path: <Chris.Phillips@canarie.ca>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E857C3A15E8 for <id-event@ietfa.amsl.com>; Mon, 13 Jul 2020 10:30:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=canarie.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hg5K_N_ykD9W for <id-event@ietfa.amsl.com>; Mon, 13 Jul 2020 10:30:46 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2127.outbound.protection.outlook.com [40.107.94.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30F003A1402 for <id-event@ietf.org>; Mon, 13 Jul 2020 10:29:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dBcrtN/OsnqqmaTzv3lhkaK6cSC9RV1T7/En3aIL5f8CcM0wmUgZMkk2LSTkcQ8PXBaNnKV/9z6yFRkLmCkPo5jex8iST1HKn8XOvbqxxVUKXOE5iqPeOmmeIWHeri+Udhc0KFdBj4f1RbPntVLA6QZxfO5jxBuKL6nURk2GZJ8LI2VJFs++fzsmYIWdVeYIALCfBnUrfX91dED0IuXwXPs5d+hZCSuMd2HlIDlyQ0V0lNr/XOdKO7kcXqruaRLpPTEv3MASN9YjA91x/fS68bF6THxfeXn5Q0rZssoPZmCh0xG75238rJyWPgtJqSIlHmftv3T5c8jUb8kU1n73Dg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UsORufi9aXTKTYPDxjOqKlh5NnD6dTFt4hss/9SjRg4=; b=TS8S84Ubc0VL0iGI8a2vprhMduXuDAsc6s1WZdG8Dt3PAvvEyFTuarGkxQJRkVL66I8O0pz7Hg2IfAaw9aZ98mB0G3i/8RwLaFftO/F61tvDaD7iijxUMaPsL8pkVTsIxcr4IsCsoCxXq3WDLysti05Jg1Zg0i+FxYDLECL27T0vDirVdYo03rkhINguZ8RuePKvjFt1L3aftPO0tTi/8x6axUdKbCEiLjZ5nPVmTTXs+3eXtnSkJujM8bbWvMKvlGb7YRIhi3oM4ERhCZ4vv5yiY41X4TiPeitsjfrC9nyWWv+ucvOPGxT7FLQhN0rl+uxTA/Hi/5zId+fCE9A8WQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=canarie.ca; dmarc=pass action=none header.from=canarie.ca; dkim=pass header.d=canarie.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CANARIE.onmicrosoft.com; s=selector2-CANARIE-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UsORufi9aXTKTYPDxjOqKlh5NnD6dTFt4hss/9SjRg4=; b=IftZmv3D+dXPTyS5nm8T43A4L2XmkzpQdd+Ov0N/KccLY4b7pOBodWlDpODaUXZA38VtugnTOR+jDhGxHfb2f6SnkmjO/SrAXwFJ3anown+Cy05nrhpdQRu/x4mIHsIQzeWkzLM0jSsFhpt78H9FE+1vDHMRl70q2sAAIwxhHxM=
Received: from DM6PR12MB3179.namprd12.prod.outlook.com (2603:10b6:5:183::18) by DM5PR12MB2359.namprd12.prod.outlook.com (2603:10b6:4:b4::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.20; Mon, 13 Jul 2020 17:29:52 +0000
Received: from DM6PR12MB3179.namprd12.prod.outlook.com ([fe80::b4c6:4f2d:4862:8a20]) by DM6PR12MB3179.namprd12.prod.outlook.com ([fe80::b4c6:4f2d:4862:8a20%4]) with mapi id 15.20.3174.025; Mon, 13 Jul 2020 17:29:51 +0000
From: Chris Phillips <Chris.Phillips@canarie.ca>
To: Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>, "id-event@ietf.org" <id-event@ietf.org>
Thread-Topic: [Id-event] SAML subject identifier type
Thread-Index: AQHWWTEqoJLqeWbaeEO7DX3O8CNDIKkFgPyA
Date: Mon, 13 Jul 2020 17:29:51 +0000
Message-ID: <5B3455F1-9F82-40C5-BE22-2E3B715A0CF1@canarie.ca>
References: <CAMCkG5thP1JnyBn5qAK0TLqBoa-y53Qnoq=mf-NPLfzSF2U7VQ@mail.gmail.com>
In-Reply-To: <CAMCkG5thP1JnyBn5qAK0TLqBoa-y53Qnoq=mf-NPLfzSF2U7VQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=canarie.ca;
x-originating-ip: [24.212.220.78]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 12f92f2c-c013-4dd2-2d4f-08d8275259c6
x-ms-traffictypediagnostic: DM5PR12MB2359:
x-microsoft-antispam-prvs: <DM5PR12MB2359ABC88C07B20508373B77F3600@DM5PR12MB2359.namprd12.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0C+7W158ktZelTBpIz63JAdCQTS4L/+sP2UYjXAViP1ekxodyHJAcsC7JoZ+ms0iVrT1lYWqxqTrEmy547FIQT0h/9G+EK6GwJkK/SbIwcHE6RtafJrl6c6YGHHi0d7kZKe/TNOmBpV78MzMSxBdhR0mHnZglaEHHxFzCrtgU3H2TOrkdH33YL4+zewxgALBxIlFG9ClkFOuC9Y7exRh9w//O0L10TLuP0/dcpJ6mLv7rbuX46RBlcwWEzLrYSjpRpNchvtY3KajXVSSCGGZFdXAA+j86U4FCP2L8aNaWWbu4wG9jIVUwD57qP7LTkp5lwsBUV/wKl3ioZEHX0r0ET9ZRL0MqkOaPPT7l4FqKSpsCMIU+SqfVlOuZErsb5AyboSY0FxTO6usyWsWqHwVXw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR12MB3179.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(396003)(376002)(136003)(39840400004)(366004)(5660300002)(86362001)(36756003)(66946007)(66616009)(66476007)(66556008)(66446008)(64756008)(91956017)(76116006)(186003)(6486002)(26005)(2616005)(83380400001)(166002)(99936003)(71200400001)(33656002)(2906002)(478600001)(53546011)(6506007)(8936002)(8676002)(6512007)(110136005)(966005)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: j2w6og1WiDzRa1HSNn/xuMgsuqBJM/Rh87OUcFI7NzkC/H14epmrwftKgROfAQwO7pnnS57iou9AncEwKOEEIvH64DqIto1inLRXReM+67OEQvm0F4KvvqU/xqkTaolXB0hX7U74xdTJ27CGdG9iYwdbOz+mtTl8FnVyMZ3nUzkcEVvPfHSbbQYHkiQFfLq5kCWF6tN/mxJSMkymNL7lF0pLU7l0h4YOeAHdBVicRQX+DiHFLzrVyIRuPaadaJxiHP9ZnFxhL61NnEyRAM3Riik6aEz3Wn6kVDAHzSUw68SeMrqr14MPDULadQ3s1VdBl3cn6/piTeGDMJGhQEd86F2fUZvda3jf087Dw5BPpDr7IQaQGKfWfXNcxQMCIxgb/jPuCtsuaR0SW6ladc0TxHaacuig7dZAwIbMpwFf4/2dPQvLBhCkouRA/X92vP52T2suFlUTSM/ajhCObGm9R5saM/8db27wlmDhyKYBnlwehq5b4NmBqW8GQMewzV1Y
x-ms-exchange-transport-forked: True
Content-type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3677491791_861672707"
MIME-Version: 1.0
X-OriginatorOrg: canarie.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR12MB3179.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 12f92f2c-c013-4dd2-2d4f-08d8275259c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2020 17:29:51.8067 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 1cf546ed-f2c8-46ea-b122-2340e67b37a0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AgnRC/3DJOcI1++C080jtqMykqgDuaCxfAL8C2h4H2d6/Mgg4lRtc/fI50r8l9DRkJX1Sw6yRvb/AIsCi49/bw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB2359
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/CqeOPZlSyqAnJjK4IDvxdBMK38I>
Subject: Re: [Id-event] SAML subject identifier type
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 17:30:49 -0000

Hi.

Quiet lurker observing..

Thanks for consider the SAML elements.. 

 

Atul, are you referring to the actual session identifier that someone may have where the Subject-Id was exchanged OR the actual Subject-id itself in your reference in the proposal with the github link?

 

I’m trying to square what I see on the git delta on line 294-296 in https://github.com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994

 

 

And a Subject-id as shown in the example in 3.3.3 here: https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097229

 

What you offered in the example is not a Subject-id  per the OASIS SAML spec as written in section 3.3.1

 

Am I mis-interpreting something?

 

C

 

 

From: Id-event <id-event-bounces@ietf.org> on behalf of Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
Date: Monday, July 13, 2020 at 12:17 PM
To: "id-event@ietf.org" <id-event@ietf.org>
Subject: [Id-event] SAML subject identifier type

 

Hi all,

Based on the discussions in the SSE working group within the OpenID Foundation, we would like to propose that the subject identifier specification include a SAML subject identifier type. This is so that sessions established across peers using SAML may be identified in events that include the subject identifier.

 

 A SAML subject identifier has only one claim within it, the assertion id of the SAML assertion used to establish the single sign-on session.

 

This change is also included in my proposal here.

 

Thanks,

Atul

v2.23.0 | Report a Bug | By Email