Re: [Id-event] SAML subject identifier type

[Atul Tulshibagwale <atultulshi@google.com>]

Hi Yaron,
There are a few SSE use cases where the events are about a specific single
sign-on session. You're right that this should not be limited to SAML. The
RISC profile of SETs (based on which we are doing the SSE work) had the ID
Token subject identifier type, which for some reason is missing in this
spec (I did not realize until now). The specific events that need to refer
to sessions are:

   - Identity provider context change: The conditions under which a SAML
   assertion or OIDC token was generated are no longer valid. This can be due
   to various things, including a password change.
   - Session property change: A session has been determined to have been
   compromised
   - Revocation: The issuer of the single sign-on SAML assertion or ID
   Token needs to be revoke

I can also add the ID Token claim from the RISC profile
<https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt#lines-250>
to my pull request.

Thanks,
Atul


On Tue, Jul 14, 2020 at 12:32 PM Yaron Sheffer <yaronf.ietf@gmail.com>
wrote:

> I need a lot more context here. So far, subject IDs have denoted durable
> entities, such as email addresses, phone numbers, account. This is adding a
> subject ID that denotes an ephemeral entity, basically similar to a session
> ID. This looks weird from an architectural point of view, and also begs the
> question, why specifically SAML and not other session types.
>
>
>
> Thanks,
>
>                 Yaron
>
>
>
> *From: *Id-event <id-event-bounces@ietf.org> on behalf of Atul
> Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
> *Date: *Tuesday, July 14, 2020 at 00:14
> *To: *Chris Phillips <Chris.Phillips@canarie.ca>
> *Cc: *"id-event@ietf.org" <id-event@ietf.org>
> *Subject: *Re: [Id-event] SAML subject identifier type
>
>
>
> Just clarifying the proposal as it stands today (before incorporating
> Chris's input):
>
> The following section should be added in the "Subject Identifier Types"
> section:
>
> 4.9.  SAML Subject Identifier Type
>
>    The SAML [SAML.REF] Subject Identifier Type describes a subject by
>    the assertion identifier in the SAML assertion that was used to
>    convey the subject's information to the Receiver.  Subject
>    Identifiers of this type MUST contain an ` assertion_id"claim.  The
>    value of this claim is a string that is equal to the Assertion
>    Identifier in the SAML assertion.  The SAML Subject Identifier Type
>    is identified by the name "saml`.
>
>    Below is a non-normative example Subject Identifier for the SAML
>    Subject Identifier Type:
>
>    {
>      "subject_type": "saml",
>      "assertion_id": "_f551d88963ab4e3decb7cfe8f4dcc3f5",
>    }
>
>      Figure 8: Example: Subject Identifier for SAML Subject Identifier
>                                    Type.
>
>
>
>
>
> On Mon, Jul 13, 2020 at 1:22 PM Atul Tulshibagwale <atultulshi@google.com>
> wrote:
>
> Hi Chris,
>
> I was proposing using the "assertion id" (SAML Core
> <http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf>
> spec, line 553) in the proposal, not the "subject-id" as defined in SAML
> (spec section 3.3). The main reason was to be able to refer to a session
> that was established using a specific assertion. If it's useful, we could
> perhaps extend the SAML subject identifier type in this spec to include
> either the assertion_id or the subject_id claim.
>
>
>
> Thanks,
>
> Atul
>
>
>
>
>
> On Mon, Jul 13, 2020 at 10:30 AM Chris Phillips <Chris.Phillips@canarie.ca>
> wrote:
>
> Hi.
>
> Quiet lurker observing..
>
> Thanks for consider the SAML elements..
>
>
>
> Atul, are you referring to the actual session identifier that someone may
> have where the Subject-Id was exchanged OR the actual Subject-id itself in
> your reference in the proposal with the github link?
>
>
>
> I’m trying to square what I see on the git delta on line 294-296 in
> https://github..com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994
> <https://github.com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994>
>
>
>
>
>
> And a Subject-id as shown in the example in 3.3.3 here:
> https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097229
> <https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01..html#_Toc536097229>
>
>
>
> What you offered in the example is not a Subject-id  per the OASIS SAML
> spec as written in section 3.3.1
>
>
>
> Am I mis-interpreting something?
>
>
>
> C
>
>
>
>
>
> *From: *Id-event <id-event-bounces@ietf.org> on behalf of Atul
> Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
> *Date: *Monday, July 13, 2020 at 12:17 PM
> *To: *"id-event@ietf.org" <id-event@ietf.org>
> *Subject: *[Id-event] SAML subject identifier type
>
>
>
> Hi all,
>
> Based on the discussions in the SSE working group within the OpenID
> Foundation, we would like to propose that the subject identifier
> specification include a SAML subject identifier type. This is so that
> sessions established across peers using SAML may be identified in events
> that include the subject identifier.
>
>
>
>  A SAML subject identifier has only one claim within it, the assertion id
> of the SAML assertion used to establish the single sign-on session.
>
>
>
> This change is also included in my proposal here
> <https://github.com/richanna/secevent/pull/1>.
>
>
>
> Thanks,
>
> Atul
>
>
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>
> _______________________________________________ Id-event mailing list
> Id-event@ietf.org https://www.ietf.org/mailman/listinfo/id-event
>