Re: [Id-event] SAML subject identifier type
Atul Tulshibagwale <atultulshi@google.com> Wed, 15 July 2020 19:46 UTC
Return-Path: <atultulshi@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E4B3A0F60 for <id-event@ietfa.amsl.com>; Wed, 15 Jul 2020 12:46:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.589
X-Spam-Level:
X-Spam-Status: No, score=-17.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnUCx-4ivscO for <id-event@ietfa.amsl.com>; Wed, 15 Jul 2020 12:46:16 -0700 (PDT)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69F63A0F5D for <id-event@ietf.org>; Wed, 15 Jul 2020 12:46:15 -0700 (PDT)
Received: by mail-yb1-xb2d.google.com with SMTP id c14so1721277ybj.0 for <id-event@ietf.org>; Wed, 15 Jul 2020 12:46:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z5V1qSIZ6vGudnk84jA5rJ+rQdbmmVc8uMVfHp08iWA=; b=R5HDJCh1Sj3vDO5CBKHB5KE3BAQZvaz9gD8827Wp+Zu41nnXnYA7NCE0YRBISeu/Ox AufL8Vu7ctkZObPz641CY3n+cpjaX037zmvZDqxxH0lRpaqqN2F7MDGx+hXGdPDWoopw V7CY2WnXNGeCNcyoesYg8FtLpB/2sT9I6LMqiVkZkuDIH9stdy0sGS3iR3BEw/kKFwuX r/glLcQ0LeiBqJD7a83m1ZR+LwmalwI1nPEsVF6GNVK7ty6SCtn8X+SN/PBOJs3MqCP+ QE99DHIR+Ca/gpRvwok6QCos9KSAl3KOcwpzjCYrdDl6Ub7knn4YIhKSBZlYiqdOKySK g5zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z5V1qSIZ6vGudnk84jA5rJ+rQdbmmVc8uMVfHp08iWA=; b=AmxTGQs+QwbrVoNkzNdph8ph+Wn5Wb3ypOUfxvXHtOlvLCygWfN+f+21VK+ZiHy0mt 4C0wDooTZ6lPf0jnoiLvplzizN54bnfX/JbOqUj3c8Xdnm1WAU8MkmF9dk+ODhq1NMrv gGsQTFCwq4beXTYqe2iIcRY5CjUng6gP+92kb8mpEXeJblCBjKUS9upEWI/qWIBKWxrG JQy4NHIj5lhbbLIP/KyoZa20ehx44QTq1ldE592LmutdJZt5RQj8AEarCPIP5QrbQ6PU 7f7jSMgtqHN2R7rhZVpjODl3VhKjNQu7MvrA0E2bIp3YcyHICAUGOWCzdn8lKnCXzTok J33Q==
X-Gm-Message-State: AOAM530sipX7c2xspLv13gvxmTuctyYbJdMz9ON96h/eO4RLUnT2MFro vwWjZUMYmFj5uTBjUZRkoEAAiux4y0hUytk8Y20jcQ==
X-Google-Smtp-Source: ABdhPJyqm3njJhySOgFeV6FRa0VmOtfrQnSLXBOovmeH144kt/KQEI+Bpyp9LPq4Q3MA3lkYiFqk8VvB9pEsAQ9iQLU=
X-Received: by 2002:a25:d807:: with SMTP id p7mr957802ybg.229.1594842374690; Wed, 15 Jul 2020 12:46:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAMCkG5thP1JnyBn5qAK0TLqBoa-y53Qnoq=mf-NPLfzSF2U7VQ@mail.gmail.com> <5B3455F1-9F82-40C5-BE22-2E3B715A0CF1@canarie.ca> <CAMCkG5uSQzTGCmFn6DLeXVbA0B0wrcPou8CEjtCQ5BCp3M+eOw@mail.gmail.com> <CAMCkG5uff+WwMRLDr+Lph-TagtwL5jWORg5ruvWLOxkNBM2s0A@mail.gmail.com> <E7D14134-0210-4515-ACA3-2AB5CDDCBF34@gmail.com> <CAMCkG5t+7z7OOLdsD77zj_eM7eYf2wOTGTV9tg5S01FXgcHC0w@mail.gmail.com> <8B77A27C-D5B3-477A-BD0D-8B3D3B818BB0@gmail.com> <CA+k3eCQ+f78Ct59D45SyQ8MnCLbpf6665h48MKpyvBaAA-ezZg@mail.gmail.com> <CAMCkG5ssFt2Dy-pbuuEch7KkBu+goNhSbfepx6dVxrUKChBRBw@mail.gmail.com> <C62035F9-E7D8-4CA4-89A3-2BE6DE941CE3@amazon.com>
In-Reply-To: <C62035F9-E7D8-4CA4-89A3-2BE6DE941CE3@amazon.com>
From: Atul Tulshibagwale <atultulshi@google.com>
Date: Wed, 15 Jul 2020 12:46:03 -0700
Message-ID: <CAMCkG5snqNuDAYMXZiri=ZJ7=y9d=-1jCnwV0FcGXVzZnX6+gA@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Cc: Brian Campbell <bcampbell@pingidentity.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, Chris Phillips <Chris.Phillips@canarie.ca>, "id-event@ietf.org" <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000037c91805aa802d4d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/az_TpUht1HAk9Fr8usYvZqcX2sE>
Subject: Re: [Id-event] SAML subject identifier type
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 19:46:19 -0000
How do we propose to support the two subject types defined in the OAuth Event Types <https://openid.net/specs/oauth-event-types-1_0-ID1.html> spec here? On Tue, Jul 14, 2020 at 4:54 PM Richard Backman, Annabelle <richanna= 40amazon.com@dmarc.ietf.org> wrote: > The RISC Profile’s “ID Token Claims” type does not identify a subject that > is an ID Token, it identifies a subject that was the subject of an ID > Token. It was intended for cases where the OP sent multiple identifiers of > different types in the ID Token (e.g., iss+sub and email), and does not > know which of them the client will recognize (yes, the *should* use > iss+sub; no, they doesn’t always do so). This type was replaced in > draft-ietf-secevent-subject-identifiers-03 with the “aliases” type, which > is a general solution to this problem that is not defined in terms of one > particular use case (i.e., ID Tokens). > > > > The OIDF SSE working group’s OAuth Event Types draft > <https://openid.net/specs/oauth-event-types-1_0-ID1.html#rfc.section.2.1> > defines a “oauth_token” type that identifies a subject that is an OAuth 2.0 > token, and does so using either the full or partial plain text value of the > token, or a hash of the token. > > > > It is perfectly fine for a token to be the subject of a security event. > 8417 <https://www.rfc-editor.org/rfc/rfc8417.html#section-2.2> actually > includes the following as an example of a possible value for the “sub” > claim: > > * a token identifier (e.g. "jti") for a revoked token. > > > > – > > Annabelle Backman (she/her) > > AWS Identity > > https://aws.amazon.com/identity/ > > > > > > *From: *Id-event <id-event-bounces@ietf.org> on behalf of Atul > Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org> > *Date: *Tuesday, July 14, 2020 at 4:32 PM > *To: *Brian Campbell <bcampbell@pingidentity.com> > *Cc: *Yaron Sheffer <yaronf.ietf@gmail.com>, Chris Phillips < > Chris.Phillips@canarie.ca>, "id-event@ietf.org" <id-event@ietf.org> > *Subject: *RE: [EXTERNAL] [Id-event] SAML subject identifier type > > > > *CAUTION*: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > IMO if we have a common enough use-case that requires a specific type to > be defined, then we should define that type in the spec rather than rely on > an interpretation of the "iss-sub" type, since that interpretation can > cause incompatibilities. > > > > In this specific case however I feel that the use cases outlined in my > previous email can be achieved (with limitations) using the durable subject > types such as email. I'd like the members of the SSE working group to chime > in (since that is where this got added), or we can drop the SAML subject > identifier type. > > > > On Tue, Jul 14, 2020 at 4:09 PM Brian Campbell <bcampbell@pingidentity.com> > wrote: > > + 1 to what Yaron is saying here. I'd include also the "iss-sub" subject > identifier type > https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-05#section-3.4 > as already having semantics covering what's described in the ID Token > Claims Subject Identifier Type in the RISC document referenced. And all > those things represent a durable subject rather than a session, which > strikes me as appropriate for a document that describes identifying > subjects. A SAML assertion ID, however, which is an identifier of an XML > document that is only indirectly related to a session by an association > that likely isn't maintained, does not seem appropriate as a "subject > identifier". > > > > On Tue, Jul 14, 2020 at 4:01 PM Yaron Sheffer <yaronf.ietf@gmail.com> > wrote: > > Hi Atul, > > > > The ID Token subject type, as described in the document you are > referencing, does not add any semantics, compared to a “phone number” or > “email” subject type. So I don’t see the value in adding it. > > > > In addition, it does not, actually, describe an ID Token. In fact the text > is very clear that it describes a “subject” (a durable entity) rather than > a session, and does it by citing various claims included in the ID token. > So as a subject identifier type, it is not at all equivalent to a SAML > assertion. > > > > As to the SAML Assertion subject type, I think these use cases could be > addressed by adding information to the event. > > > > Thanks, > > Yaron > > > > *From: *Atul Tulshibagwale <atultulshi@google.com> > *Date: *Tuesday, July 14, 2020 at 23:26 > *To: *Yaron Sheffer <yaronf.ietf@gmail.com> > *Cc: *Chris Phillips <Chris.Phillips@canarie.ca>, "id-event@ietf.org" < > id-event@ietf.org> > *Subject: *Re: [Id-event] SAML subject identifier type > > > > Hi Yaron, > > There are a few SSE use cases where the events are about a specific single > sign-on session. You're right that this should not be limited to SAML. The > RISC profile of SETs (based on which we are doing the SSE work) had the ID > Token subject identifier type, which for some reason is missing in this > spec (I did not realize until now). The specific events that need to refer > to sessions are: > > · Identity provider context change: The conditions under which a > SAML assertion or OIDC token was generated are no longer valid. This can be > due to various things, including a password change. > > · Session property change: A session has been determined to have > been compromised > > · Revocation: The issuer of the single sign-on SAML assertion or > ID Token needs to be revoke > > I can also add the ID Token claim from the RISC profile > <https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt#lines-250> > to my pull request. > > > > Thanks, > > Atul > > > > > > On Tue, Jul 14, 2020 at 12:32 PM Yaron Sheffer <yaronf.ietf@gmail.com> > wrote: > > I need a lot more context here. So far, subject IDs have denoted durable > entities, such as email addresses, phone numbers, account. This is adding a > subject ID that denotes an ephemeral entity, basically similar to a session > ID. This looks weird from an architectural point of view, and also begs the > question, why specifically SAML and not other session types. > > > > Thanks, > > Yaron > > > > *From: *Id-event <id-event-bounces@ietf.org> on behalf of Atul > Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org > <40google.com@dmarc.ietf..org>> > *Date: *Tuesday, July 14, 2020 at 00:14 > *To: *Chris Phillips <Chris.Phillips@canarie.ca> > *Cc: *"id-event@ietf.org" <id-event@ietf.org> > *Subject: *Re: [Id-event] SAML subject identifier type > > > > Just clarifying the proposal as it stands today (before incorporating > Chris's input): > > The following section should be added in the "Subject Identifier Types" > section: > > 4.9. SAML Subject Identifier Type > > The SAML [SAML.REF] Subject Identifier Type describes a subject by > the assertion identifier in the SAML assertion that was used to > convey the subject's information to the Receiver. Subject > Identifiers of this type MUST contain an ` assertion_id"claim. The > value of this claim is a string that is equal to the Assertion > Identifier in the SAML assertion. The SAML Subject Identifier Type > is identified by the name "saml`. > > Below is a non-normative example Subject Identifier for the SAML > Subject Identifier Type: > > { > "subject_type": "saml", > "assertion_id": "_f551d88963ab4e3decb7cfe8f4dcc3f5", > } > > Figure 8: Example: Subject Identifier for SAML Subject Identifier > Type. > > > > > > On Mon, Jul 13, 2020 at 1:22 PM Atul Tulshibagwale <atultulshi@google.com> > wrote: > > Hi Chris, > > I was proposing using the "assertion id" (SAML Core > <http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf> > spec, line 553) in the proposal, not the "subject-id" as defined in SAML > (spec section 3.3). The main reason was to be able to refer to a session > that was established using a specific assertion. If it's useful, we could > perhaps extend the SAML subject identifier type in this spec to include > either the assertion_id or the subject_id claim. > > > > Thanks, > > Atul > > > > > > On Mon, Jul 13, 2020 at 10:30 AM Chris Phillips <Chris.Phillips@canarie.ca> > wrote: > > Hi. > > Quiet lurker observing.. > > Thanks for consider the SAML elements.. > > > > Atul, are you referring to the actual session identifier that someone may > have where the Subject-Id was exchanged OR the actual Subject-id itself in > your reference in the proposal with the github link? > > > > I’m trying to square what I see on the git delta on line 294-296 in > https://github...com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994 > <https://github.com/richanna/secevent/pull/1/commits/b20b6692eb50628927476ca78f9be077ace88994> > > > > > > And a Subject-id as shown in the example in 3.3.3 here: > https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097229 > <https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1..0-cs01..html#_Toc536097229> > > > > What you offered in the example is not a Subject-id per the OASIS SAML > spec as written in section 3.3.1 > > > > Am I mis-interpreting something? > > > > C > > > > > > *From: *Id-event <id-event-bounces@ietf.org> on behalf of Atul > Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org> > *Date: *Monday, July 13, 2020 at 12:17 PM > *To: *"id-event@ietf.org" <id-event@ietf.org> > *Subject: *[Id-event] SAML subject identifier type > > > > Hi all, > > Based on the discussions in the SSE working group within the OpenID > Foundation, we would like to propose that the subject identifier > specification include a SAML subject identifier type. This is so that > sessions established across peers using SAML may be identified in events > that include the subject identifier. > > > > A SAML subject identifier has only one claim within it, the assertion id > of the SAML assertion used to establish the single sign-on session. > > > > This change is also included in my proposal here > <https://github.com/richanna/secevent/pull/1>. > > > > Thanks, > > Atul > > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > > _______________________________________________ Id-event mailing list > Id-event@ietf.org https://www.ietf.org/mailman/listinfo/id-event > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > >
- [Id-event] SAML subject identifier type Atul Tulshibagwale
- Re: [Id-event] SAML subject identifier type Chris Phillips
- Re: [Id-event] SAML subject identifier type Atul Tulshibagwale
- Re: [Id-event] SAML subject identifier type Atul Tulshibagwale
- Re: [Id-event] SAML subject identifier type Yaron Sheffer
- Re: [Id-event] SAML subject identifier type Atul Tulshibagwale
- Re: [Id-event] SAML subject identifier type Yaron Sheffer
- Re: [Id-event] SAML subject identifier type Brian Campbell
- Re: [Id-event] SAML subject identifier type Atul Tulshibagwale
- Re: [Id-event] SAML subject identifier type Atul Tulshibagwale
- Re: [Id-event] SAML subject identifier type Richard Backman, Annabelle
- Re: [Id-event] SAML subject identifier type Atul Tulshibagwale
- Re: [Id-event] SAML subject identifier type Richard Backman, Annabelle
- Re: [Id-event] SAML subject identifier type Mike Jones
- Re: [Id-event] SAML subject identifier type Dick Hardt
- Re: [Id-event] SAML subject identifier type Atul Tulshibagwale
- Re: [Id-event] SAML subject identifier type Brian Campbell
- Re: [Id-event] SAML subject identifier type Mike Jones