IETF Logo Mail Archive

Re: [Id-event] SAML subject identifier type

Mike Jones <Michael.Jones@microsoft.com> Wed, 15 July 2020 22:20 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDD903A0F4D for <id-event@ietfa.amsl.com>; Wed, 15 Jul 2020 15:20:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YudDOt4d69L for <id-event@ietfa.amsl.com>; Wed, 15 Jul 2020 15:20:48 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640110.outbound.protection.outlook.com [40.107.64.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66E043A0EF4 for <id-event@ietf.org>; Wed, 15 Jul 2020 15:20:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LXDdzo1gbtL0QMP5wAkxz75489IGLx5vEfq/MXa/cgwQIE3ZNURMd6OfWHrjLUEtwnF2deJkUrRmgQ5Jb6x1lTn3gkZ9lCZowFqEBMiJ1HU2QJ1aKGglA5luIujuK09b+nYj1LicZWKqvIMaTiuY7C5FM/aL4lCaR6qpSJY+E+FBjMBgB6vAR4ZVzUdTE87KTlMeih4qgCZBo2NmQ78yObyiCy0449Aa4CAs1wRLLRkH87Z5xdMDgAIKcd3+KbBihJyvfZfX71N5GXtaY1MuDtNZjeGHTiNsq9FEAjN21jk6ffF4PrOn799rGSLAdEaBv3/N0haxGiKOJLv6shrbyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pUKkkLU3pA8YtElyhu6wIZ3ucrLFrVSzimOyZ8bO4vU=; b=doJiSZuuZPVwaAMp96k8ASj5F2KvvyYMdwbF/vlS3SSfWImS9ppyt5W5iYytXjBmsc7t9QLFVHQplZRn53JsRZmON8PRO/EVygI96Gb103Jqy19ZdphjMJI9IOMbBAfkNapiOYFX5uhUY5JGW30xrdxzotmBRrBnP5EzHGkj/NVHhxrcKtO0DazOfIaIPYgH62GlNLiD5KaWwveKwO0Ds+P64YS7knL5BcArmUYpGbaQZdlY842zfrxRXePFYtQ5lLjXr+75PwnPiIlotSbdo44wQTgJ56DuhHzSEQPWuGrLHMatNTigk123aNpatt5Xi28OEzSC35QQbO+wdnPC0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pUKkkLU3pA8YtElyhu6wIZ3ucrLFrVSzimOyZ8bO4vU=; b=VI29meihVsf16xEm1VT/Y1RvaZ/BxTgL/f0mwD/ahpjLRDKAtYVSyOVn5slrhwx84w0rwuxRWJSmOKHcE/dXBTiPwTNbQqfFB/OtD6oUT9UbZHQvLxhh5TBhdMsmyRoOGM8HXD6jwvA73IZ7Fb1SxFZ8HGpqS+LVD1UalLq3Iy4=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by MN2PR00MB0640.namprd00.prod.outlook.com (2603:10b6:208:3a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3235.0; Wed, 15 Jul 2020 22:20:45 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::2886:ee14:6806:ec4]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::2886:ee14:6806:ec4%4]) with mapi id 15.20.3237.000; Wed, 15 Jul 2020 22:20:45 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
CC: Yaron Sheffer <yaronf.ietf@gmail.com>, Brian Campbell <bcampbell@pingidentity.com>, Chris Phillips <Chris.Phillips@canarie.ca>, "id-event@ietf.org" <id-event@ietf.org>
Thread-Topic: [Id-event] SAML subject identifier type
Thread-Index: AQHWWu5wSHawNgbSLEecHYRPRNig8qkJNefw
Date: Wed, 15 Jul 2020 22:20:45 +0000
Message-ID: <MN2PR00MB068653B00930B9E02E2286E5F57E0@MN2PR00MB0686.namprd00.prod.outlook.com>
References: <CAMCkG5thP1JnyBn5qAK0TLqBoa-y53Qnoq=mf-NPLfzSF2U7VQ@mail.gmail.com> <5B3455F1-9F82-40C5-BE22-2E3B715A0CF1@canarie.ca> <CAMCkG5uSQzTGCmFn6DLeXVbA0B0wrcPou8CEjtCQ5BCp3M+eOw@mail.gmail.com> <CAMCkG5uff+WwMRLDr+Lph-TagtwL5jWORg5ruvWLOxkNBM2s0A@mail.gmail.com> <E7D14134-0210-4515-ACA3-2AB5CDDCBF34@gmail.com> <CAMCkG5t+7z7OOLdsD77zj_eM7eYf2wOTGTV9tg5S01FXgcHC0w@mail.gmail.com> <8B77A27C-D5B3-477A-BD0D-8B3D3B818BB0@gmail.com> <CA+k3eCQ+f78Ct59D45SyQ8MnCLbpf6665h48MKpyvBaAA-ezZg@mail.gmail.com> <CAMCkG5ssFt2Dy-pbuuEch7KkBu+goNhSbfepx6dVxrUKChBRBw@mail.gmail.com> <C62035F9-E7D8-4CA4-89A3-2BE6DE941CE3@amazon.com> <CAMCkG5snqNuDAYMXZiri=ZJ7=y9d=-1jCnwV0FcGXVzZnX6+gA@mail.gmail.com> <9CC41112-7947-41E1-9584-6DEB625BBEEA@amazon.com>
In-Reply-To: <9CC41112-7947-41E1-9584-6DEB625BBEEA@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-15T22:18:37Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d6fca6b8-cf80-4bed-a00c-899d1c544eff; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c1226772-3ad5-4ced-10e8-08d8290d518d
x-ms-traffictypediagnostic: MN2PR00MB0640:
x-microsoft-antispam-prvs: <MN2PR00MB0640C712899172DBD7049E35F57E0@MN2PR00MB0640.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0+A5g14E/oyQXJVidTLBLhbbtr4SlKWqzI/wvWFUkkGxtEVDsoVyUfT/l5gr8hBdgFVofrDIsSfG0gMrD75yi4lUKCmj8Uqf6u4TTjkhWHWTm1tZTLNSEJOjk1LyFt5w/kGNxdd4ge2Uq6OjWAeRi0Ou99EzHvUJIn3ZosZZd7090F+ugVuv56CKTyBS3RSTPLXYI5Dll6MI5cDAGF1i5G9/1AmxNEO/gimn9w24MfhbXi5S1FzLDe2Hy1PxNHut02bK1x7eZatJn6NW2RP1j6cr9p/Wd2UwR1Dkkze08UjxVnLUhXaIHrTTa8XLCp1up8OXudVnZq2NkyI/1Ys5uN4+UX/ildJVQOonvwQTK3ZWfUFLPHiUvRlaC1kwLOIjKojBQpdSdub5DB+IsmQmHQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0686.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(366004)(376002)(136003)(39860400002)(66446008)(966005)(82950400001)(316002)(86362001)(10290500003)(26005)(8676002)(82960400001)(53546011)(8936002)(9686003)(186003)(6506007)(110136005)(7696005)(4326008)(2906002)(66946007)(54906003)(83380400001)(5660300002)(66476007)(8990500004)(55016002)(76116006)(21615005)(33656002)(7066003)(166002)(64756008)(71200400001)(52536014)(66556008)(478600001)(30864003)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: wR6l/z8jAETijJ4egthvLsKh5UQDHRbG7zNTefbb9i8z0fep/Ib3BJfcA+9kd12VXiOIYKDvX3/5M3pawBhosRcXQ8ZOMknAHHoOMgl1oaB4/Jnd0MadgEiCI2djKITX16H6SnDCwoZSIQle88QdXDT5CrYroSREIulOZ0UUzGVGG2HahlXLiLB0nzH5xdrawDfN7kNpkCH3k3+oDu2Gr1boemGmapBHKdIh9daug2vLS9X0ojvaWEaVH+xtqUXeT1cu8m9QnTApViNz+Q8oX91P3uQB1yBrpwTSfLYDTz1H0NfFLFMt6agq312B9ZtT9aNvcUx5U6+NfgPvyIgx35xpnCsGWBL2r8HHb24ift/MkQGBuJ8oqd3OdDLay/iG9N4cos72f1deoIuZU9WwwPtv0SqyLPHTtqebFRthzMYcVlUsbDxNviZSVPHRZ7V5b3aYPmPNsh/Pd5r0Oo5g3B++xdiSwagyNQvi5es/Tj4jFvLmfs9Qbq+oUw9TSu8xGmv4ra3mTtqI+rQxDsAxsLy+CWihN5JJtLgrITHjgHZPLQALXRSXK3h3tUu1eDh9Zag1vAkxYtWigjo+8El9WaKZHB9xT5rioehrB2C5mPd2VJUnPtP/P+YHOZmGoaN+eW3bMn7rNkTRFGp86nS+KQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB068653B00930B9E02E2286E5F57E0MN2PR00MB0686namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0686.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c1226772-3ad5-4ced-10e8-08d8290d518d
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2020 22:20:45.1651 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: S9lepuRA9t+2b7/0fwdxvgLUyGVRIjAEI8uSxLeYzLF5wjpF1bZV8Z2BHjoC2S4+Xjb6qzLQoeFbRTDiqu/Dig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0640
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/9tKXq6rpVzrT16ipan-9tgWY4jA>
Subject: Re: [Id-event] SAML subject identifier type
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 22:20:59 -0000

I’d suggest not defining any subject types that we don’t have immediate use cases for, as we might get the details wrong.  We’re creating a registry to add new ones, so they can always be added later when they’re actually needed.

Let’s keep this simple, while meeting the immediately known needs.

                                                       -- Mike

From: Id-event <id-event-bounces@ietf.org> On Behalf Of Richard Backman, Annabelle
Sent: Wednesday, July 15, 2020 2:25 PM
To: Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>; Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>; Brian Campbell <bcampbell@pingidentity.com>; Chris Phillips <Chris.Phillips@canarie.ca>; id-event@ietf.org
Subject: Re: [Id-event] SAML subject identifier type

I think the two subject types – the “oauth_token” type described in my prior email, and a “oauth_client” type that identifies a subject by its OAuth 2.0 client ID – are reasonable types to define. I don’t see a particular need to move them into the base spec – we define an IANA registry precisely so we don’t have to try to define everything up front – but I’m not opposed to the idea.

I’m not sure where this notion of a “durable subject” came from. Right in the introduction, RFC 8417<https://www.rfc-editor.org/rfc/rfc8417.html#section-1> says the subject of a security event “may be permanent (e.g., a user account) or temporary (e.g., an HTTP session) in nature.” There are plenty of use cases for events where the subjects are temporary/ephemeral:

  1.  Session termination
  2.  Changes in the security posture for a session
  3.  Token revocation
  4.  Asynchronous approval of a request
  5.  Changes in the state of a transaction
…etc.

Whether or not it makes sense to identify a session subject using a SAML assertion ID (or an ID Token “jti” claim, in the OIDC world) is a separate question. Adding semantics to existing identifiers tends to lead to lots of unforeseen complications, and depend on assumptions that don’t always hold true. In this case, there seems to be an assumption that there is a 1:1 relationship between a SAML assertion and a session. This is not always the case.

Regardless, a SAML assertion ID is clearly an appropriate identifier when the subject is a SAML assertion. I don’t know offhand if there are any use cases for events relating to a SAML assertion itself. I can certainly see use cases for events related to JWTs (e.g., revocation of a JWT access token), where a “jti” subject identifier type would be appropriate. I’m inclined to add it to the draft, if for no other reason than to provide a normative demonstration of a subject identifier that would be used to identify a more ephemeral subject.

–
Annabelle Backman (she/her)
AWS Identity
https://aws.amazon.com/identity/


From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> on behalf of Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org<mailto:atultulshi=40google.com@dmarc.ietf.org>>
Date: Wednesday, July 15, 2020 at 12:47 PM
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org<mailto:richanna=40amazon.com@dmarc.ietf.org>>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>, Chris Phillips <Chris.Phillips@canarie.ca<mailto:Chris.Phillips@canarie.ca>>, "id-event@ietf.org<mailto:id-event@ietf.org>" <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: RE: [EXTERNAL] [Id-event] SAML subject identifier type


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

How do we propose to support the two subject types defined in the OAuth Event Types<https://openid.net/specs/oauth-event-types-1_0-ID1.html> spec here?

On Tue, Jul 14, 2020 at 4:54 PM Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote:
The RISC Profile’s “ID Token Claims” type does not identify a subject that is an ID Token, it identifies a subject that was the subject of an ID Token. It was intended for cases where the OP sent multiple identifiers of different types in the ID Token (e.g., iss+sub and email), and does not know which of them the client will recognize (yes, the should use iss+sub; no, they doesn’t always do so). This type was replaced in draft-ietf-secevent-subject-identifiers-03 with the “aliases” type, which is a general solution to this problem that is not defined in terms of one particular use case (i.e., ID Tokens).

The OIDF SSE working group’s OAuth Event Types draft<https://openid.net/specs/oauth-event-types-1_0-ID1.html#rfc.section.2.1> defines a “oauth_token” type that identifies a subject that is an OAuth 2.0 token, and does so using either the full or partial plain text value of the token, or a hash of the token..

It is perfectly fine for a token to be the subject of a security event. 8417<https://www.rfc-editor.org/rfc/rfc8417.html#section-2.2> actually includes the following as an example of a possible value for the “sub” claim:
*  a token identifier (e.g. "jti") for a revoked token.

–
Annabelle Backman (she/her)
AWS Identity
https://aws.amazon.com/identity/


From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> on behalf of Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>>
Date: Tuesday, July 14, 2020 at 4:32 PM
To: Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, Chris Phillips <Chris.Phillips@canarie.ca<mailto:Chris.Phillips@canarie.ca>>, "id-event@ietf.org<mailto:id-event@ietf.org>" <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: RE: [EXTERNAL] [Id-event] SAML subject identifier type


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

IMO if we have a common enough use-case that requires a specific type to be defined, then we should define that type in the spec rather than rely on an interpretation of the "iss-sub" type, since that interpretation can cause incompatibilities.

In this specific case however I feel that the use cases outlined in my previous email can be achieved (with limitations) using the durable subject types such as email. I'd like the members of the SSE working group to chime in (since that is where this got added), or we can drop the SAML subject identifier type.

On Tue, Jul 14, 2020 at 4:09 PM Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
+ 1 to what Yaron is saying here. I'd include also the "iss-sub" subject identifier type https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-05#section-3.4 as already having semantics covering what's described in the ID Token Claims Subject Identifier Type in the RISC document referenced. And all those things represent a durable subject rather than a session, which strikes me as appropriate for a document that describes identifying subjects. A SAML assertion ID, however, which is an identifier of an XML document that is only indirectly related to a session by an association that likely isn't maintained, does not seem appropriate as a "subject identifier".

On Tue, Jul 14, 2020 at 4:01 PM Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> wrote:
Hi Atul,

The ID Token subject type, as described in the document you are referencing, does not add any semantics, compared to a “phone number” or “email” subject type. So I don’t see the value in adding it.

In addition, it does not, actually, describe an ID Token. In fact the text is very clear that it describes a “subject” (a durable entity) rather than a session, and does it by citing various claims included in the ID token. So as a subject identifier type, it is not at all equivalent to a SAML assertion.

As to the SAML Assertion subject type, I think these use cases could be addressed by adding information to the event.

Thanks,
                Yaron

From: Atul Tulshibagwale <atultulshi@google.com<mailto:atultulshi@google.com>>
Date: Tuesday, July 14, 2020 at 23:26
To: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>
Cc: Chris Phillips <Chris.Phillips@canarie.ca<mailto:Chris.Phillips@canarie.ca>>, "id-event@ietf.org<mailto:id-event@ietf.org>" <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: Re: [Id-event] SAML subject identifier type

Hi Yaron,
There are a few SSE use cases where the events are about a specific single sign-on session. You're right that this should not be limited to SAML. The RISC profile of SETs (based on which we are doing the SSE work) had the ID Token subject identifier type, which for some reason is missing in this spec (I did not realize until now). The specific events that need to refer to sessions are:
•         Identity provider context change: The conditions under which a SAML assertion or OIDC token was generated are no longer valid. This can be due to various things, including a password change.
•         Session property change: A session has been determined to have been compromised
•         Revocation: The issuer of the single sign-on SAML assertion or ID Token needs to be revoke
I can also add the ID Token claim from the RISC profile<https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt#lines-250> to my pull request.

Thanks,
Atul


On Tue, Jul 14, 2020 at 12:32 PM Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf..ietf@gmail.com>> wrote:
I need a lot more context here. So far, subject IDs have denoted durable entities, such as email addresses, phone numbers, account. This is adding a subject ID that denotes an ephemeral entity, basically similar to a session ID. This looks weird from an architectural point of view, and also begs the question, why specifically SAML and not other session types.

Thanks,
                Yaron

From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> on behalf of Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf..org>>
Date: Tuesday, July 14, 2020 at 00:14
To: Chris Phillips <Chris.Phillips@canarie.ca<mailto:Chris.Phillips@canarie.ca>>
Cc: "id-event@ietf.org<mailto:id-event@ietf.org>" <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: Re: [Id-event] SAML subject identifier type

Just clarifying the proposal as it stands today (before incorporating Chris's input):
The following section should be added in the "Subject Identifier Types" section:
4.9.  SAML Subject Identifier Type

   The SAML [SAML.REF] Subject Identifier Type describes a subject by
   the assertion identifier in the SAML assertion that was used to
   convey the subject's information to the Receiver.  Subject
   Identifiers of this type MUST contain an ` assertion_id"claim.  The
   value of this claim is a string that is equal to the Assertion
   Identifier in the SAML assertion.  The SAML Subject Identifier Type
   is identified by the name "saml`.

   Below is a non-normative example Subject Identifier for the SAML
   Subject Identifier Type:

   {
     "subject_type": "saml",
     "assertion_id": "_f551d88963ab4e3decb7cfe8f4dcc3f5",
   }

     Figure 8: Example: Subject Identifier for SAML Subject Identifier
                                   Type.


On Mon, Jul 13, 2020 at 1:22 PM Atul Tulshibagwale <atultulshi@google.com<mailto:atultulshi@google.com>> wrote:
Hi Chris,
I was proposing using the "assertion id" (SAML Core<http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf> spec, line 553) in the proposal, not the "subject-id" as defined in SAML (spec section 3.3). The main reason was to be able to refer to a session that was established using a specific assertion. If it's useful, we could perhaps extend the SAML subject identifier type in this spec to include either the assertion_id or the subject_id claim.

Thanks,
Atul


On Mon, Jul 13, 2020 at 10:30 AM Chris Phillips <Chris.Phillips@canarie.ca<mailto:Chris..Phillips@canarie.ca>> wrote:
Hi.
Quiet lurker observing..
Thanks for consider the SAML elements..

Atul, are you referring to the actual session identifier that someone may have where the Subject-Id was exchanged OR the actual Subject-id itself in your reference in the proposal with the github link?

I’m trying to square what I see on the git delta on line 294-296 in https://github...com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994<https://github.com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994>


And a Subject-id as shown in the example in 3.3.3 here: https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097229<https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1..0-cs01..html#_Toc536097229>

What you offered in the example is not a Subject-id  per the OASIS SAML spec as written in section 3.3.1

Am I mis-interpreting something?

C


From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> on behalf of Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>>
Date: Monday, July 13, 2020 at 12:17 PM
To: "id-event@ietf.org<mailto:id-event@ietf.org>" <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: [Id-event] SAML subject identifier type

Hi all,
Based on the discussions in the SSE working group within the OpenID Foundation, we would like to propose that the subject identifier specification include a SAML subject identifier type. This is so that sessions established across peers using SAML may be identified in events that include the subject identifier.

 A SAML subject identifier has only one claim within it, the assertion id of the SAML assertion used to establish the single sign-on session.

This change is also included in my proposal here<https://github.com/richanna/secevent/pull/1>.

Thanks,
Atul

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event
_______________________________________________ Id-event mailing list Id-event@ietf.org<mailto:Id-event@ietf.org> https://www.ietf.org/mailman/listinfo/id-event
_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email