IETF Logo Mail Archive

Re: [kitten] GSS-API / SAML as authentication mechanism

Srinivas Cheruku <srinivas.cheruku@gmail.com> Wed, 12 April 2023 16:01 UTC

Return-Path: <srinivas.cheruku@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A50C17B343 for <kitten@ietfa.amsl.com>; Wed, 12 Apr 2023 09:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHTjdozWB47M for <kitten@ietfa.amsl.com>; Wed, 12 Apr 2023 09:01:45 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAB80C152564 for <kitten@ietf.org>; Wed, 12 Apr 2023 09:01:45 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id la3so11707386plb.11 for <kitten@ietf.org>; Wed, 12 Apr 2023 09:01:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681315304; x=1683907304; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=VH+np0W6w0X0o+VsxR5D09PKocmbLK0LIhs8piNZkKY=; b=f+l1wjVT15f70wrJ+drXyx3CnjuAX1k+AcbzOQddNA9+sGu/ObOlIxSPanRssm12YM ndzwyVwKAcEVLDa9PPqQu/JyoQqZp72I94e7JQH2il+aGxz9V1zAR3RXuOyY8TxGDet1 1aBF5peaQ6xTI4CCFHtqb+LL2AHdr/u3jptwgbiLinBRWfxsz+JkexKCVxsVYB8F2bJX IqHDBIj5OL4Z838S8F3VKEnNzihCmm2A7Ma0qfqAnqF8Jim9iIl3yTLSyBflidPZSZ9I 7v1j1U/70KCJLyRqDSmtD0JM/g/LIAydTjMWEYQR+JlXK/6c5iy/x3c9M9rEK2zpiKfr OuZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681315304; x=1683907304; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VH+np0W6w0X0o+VsxR5D09PKocmbLK0LIhs8piNZkKY=; b=V48qD49KoOTKCPTc9siJQve8Y7uv7/laz/0TbIm3W2cPyE9u8sKZ9F5TlwERJX7tzs ApFRhW1gakIlgLPdahijp2QSxcD0Vp1iElXfMV+rfedQBCP0PfFlJOvbtR8CEITiEBG6 HaC1rM86ZR71Of1ehut4vsq9UhfEXKnHqFQ8Uw7nuUj8bXtS10Ky3IktRSl35Z8NHky+ cfcPbP6kwBr+moeMnHjsdxgJ4fXiUAIRozeMdoODYGGUux7AAJ3KWu9pOUYqNAena4hN qklocNf3HPQAWFrUYW5oWJwz8y+x6h7xIcMJ9mYnNqaH8rGBONJtC/l+Rp0CrT1i045i f8fw==
X-Gm-Message-State: AAQBX9f45M4mEpCOhbzxKGMp/DZhaKRJzLABCLXq5nwC0BTfiy1n79Iz PpkxoKzYKo3idrLwPwhvTyiGy++002s=
X-Google-Smtp-Source: AKy350YaWetPLSwv9jFYLbSQgMJdJVQYrPkf6ZaNwsmJPtBF6hhplROteMx0T1IkvOpRL9uLnHy/sg==
X-Received: by 2002:a17:903:2888:b0:1a6:3ffb:8997 with SMTP id ku8-20020a170903288800b001a63ffb8997mr8668914plb.42.1681315298017; Wed, 12 Apr 2023 09:01:38 -0700 (PDT)
Received: from PN2P287MB0381.INDP287.PROD.OUTLOOK.COM ([2603:1046:c04:835::5]) by smtp.gmail.com with ESMTPSA id q14-20020a170902788e00b0019462aa090bsm11698998pll.284.2023.04.12.09.01.36 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Apr 2023 09:01:37 -0700 (PDT)
From: Srinivas Cheruku <srinivas.cheruku@gmail.com>
To: Simon Josefsson <simon@josefsson.org>
CC: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: GSS-API / SAML as authentication mechanism
Thread-Index: AQHZbQzPmEPWDNuNwkGlV9EagAqxHDlEODMwZmZrOGSqKoBz3Q==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Wed, 12 Apr 2023 16:01:34 +0000
Message-ID: <PN2P287MB0381A72190868E5AD8F60035F69B9@PN2P287MB0381.INDP287.PROD.OUTLOOK.COM>
References: <PN2P287MB0381F58334C75A8ABED02D65F69B9@PN2P287MB0381.INDP287.PROD.OUTLOOK.COM> <87a5zdw8lk.fsf@kaka.sjd.se>
In-Reply-To: <87a5zdw8lk.fsf@kaka.sjd.se>
Accept-Language: en-GB, en-US
Content-Language: en-IN
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_PN2P287MB0381A72190868E5AD8F60035F69B9PN2P287MB0381INDP_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/KZHCAi3Ya9nYMbYoN5mn1QITxVU>
Subject: Re: [kitten] GSS-API / SAML as authentication mechanism
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 16:01:50 -0000

Simon,

Thank you very much for your inputs.

Does this mean it should be ok to use SAML20EC where application design assumes per-connection SASL authentication?

Thanks,
Srini


On 12/04/23, 18:39, "Simon Josefsson" <simon@josefsson.org> wrote:
Srinivas Cheruku <srinivas.cheruku@gmail.com<mailto:srinivas.cheruku@gmail.com>> writes:

> Hello All,
>
> As you know, companies slowly starting thinking on moving away from
> Kerberos Infrastructure (e.g. MS AD) and relying on MS Azure AD or any
> other IdP for their authentication needs. We came across some new
> companies where they do not have any Kerberos infrastructure like MS
> AD at all. And, there are still thick client applications using
> GSS-API/Kerberos for the authentication and so was thinking on support
> for GSS-API/SAML for these client applications.
>
> I found two references as below:
>
>   1.  SAML Enhanced Client SASL and GSS-API Mechanisms -
> https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml-ec/
>   2.  RFC 6595 – A Simple Authentication and Security Layer (SASL) and
> GSS-API Mechanism for the Security Assertion Markup Language (SAML) -
> https://www.rfc-editor.org/rfc/rfc6595
>
> Are there any known implementations of these?

Yes, GNU SASL supports RFC6595 SAML20:

https://www.gnu.org/software/gsasl/manual/html_node/SAML20.html

However the deployment experience with IMAP/SMTP/XMPP and some other
SASL-using protocols has not worked out well for SAML20: the practice of
opening multiple connections and performing SASL authentication on each
of them pretty much destroyed the functionality here, where most
application design assumes per-connection SASL authentication is
non-interactive after an initial user prompt for passwords etc.

We never brought it up to the GSS-API layer to test with SSH etc, since
it is lacking some security features that makes it a bit too fragile.
SAML20EC improved on those, but the application design issue is still a
concern.

/Simon

v2.23.0 | Report a Bug | By Email