Re: [OAUTH-WG] draft-ietf-oauth-saml2-bearer-10 question
Brian Campbell <bcampbell@pingidentity.com> Fri, 06 April 2012 11:55 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 816E821F8531 for <oauth@ietfa.amsl.com>; Fri, 6 Apr 2012 04:55:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.916
X-Spam-Level:
X-Spam-Status: No, score=-5.916 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpNF6VBHeuIh for <oauth@ietfa.amsl.com>; Fri, 6 Apr 2012 04:55:44 -0700 (PDT)
Received: from psmtp.com (na3sys009aog136.obsmtp.com [74.125.149.85]) by ietfa.amsl.com (Postfix) with ESMTP id 127AB21F8541 for <oauth@ietf.org>; Fri, 6 Apr 2012 04:55:43 -0700 (PDT)
Received: from mail-vb0-f54.google.com ([209.85.212.54]) (using TLSv1) by na3sys009aob136.postini.com ([74.125.148.12]) with SMTP ID DSNKT37Zv4drIsES1J9/ChKofIXQ1oMTLq46@postini.com; Fri, 06 Apr 2012 04:55:44 PDT
Received: by vbmv11 with SMTP id v11so1645157vbm.13 for <oauth@ietf.org>; Fri, 06 Apr 2012 04:55:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=2QGvj0Qxhmrwq1Um+mvHJTjmq5EH7FcmMnnMcq5L/aA=; b=FiPAv7Lm4sV4FymhGj2rQ7CAmdeOx2/YkIC5tK/I7xEfM3V//pX+wiHlYF3aSejLgL hqiC+R7QyPWGesvaU/oymP8b7sV2mf/Ul8Y6bLfzP1l48x8zdPbWiBaBzGG7D5hvf8N0 3TEAq1iujg05E4VwPk4Cuo3eBfbj7I0zhofmi0N2j+hNsQLjgqQI5m1zmBh0kXRPIm87 T9VSAyh3gznFwGv5v2/1kd6zexWtgEgn2ZIhgpg+F09vISXU5wWtSyNPsxRxysjCmKdB A03+ybLva+r43MXzFIj3EHwNKLJBuaWNVwsqjy2uwJqyJh9471uv5UXsUzSXAJgHPNmp py4g==
Received: by 10.52.34.79 with SMTP id x15mr2110937vdi.0.1333713342495; Fri, 06 Apr 2012 04:55:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.36.47 with HTTP; Fri, 6 Apr 2012 04:55:12 -0700 (PDT)
In-Reply-To: <49B5B014-40B0-4ECC-B954-8BEF88564FEF@ve7jtb.com>
References: <59E470B10C4630419ED717AC79FCF9A906DCC7@CH1PRD0410MB369.namprd04.prod.outlook.com> <49B5B014-40B0-4ECC-B954-8BEF88564FEF@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 06 Apr 2012 05:55:12 -0600
Message-ID: <CA+k3eCQ9+cYD29qqkdwEn=s3BCLKxNeUKTwfMBCLeOCqBWbJrQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="20cf3079b82602fc6a04bd015642"
X-Gm-Message-State: ALoCoQkLIfFiHWkquJRQLY8W5txgmlKuA7VkWtEHsMWAJFpI0OrZSPmAf3yOzhuiw5NoYi5NKsYP
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-saml2-bearer-10 question
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 11:55:45 -0000
It really depends on the situation - what other systems are available to the client and the nature of the trust relationship between the client and the AS. As John said, a client could generate and self sign an assertion. This likely works for well for client authentication via asymmetric keys. WS-Trust/STS is the most typical (in my view anyway) way a client might get an assertion to use for authorization. We've got a few customers doing it that way. I did a little demo a while back using WS-Trust but where the assertion issuer acts as a broker of sorts in the transaction rather than returning the assertion to the client: https://www.pingidentity.com/blogs/pingtalk/index.cfm/2010/11/5/Securing-Mobile-for-Enterprise--SAML-OAuth-WSTrust-in-Action ECP is possible but you are right that lack of support for it makes it unlikely. Various permutations of Web SSO are possible too. The client might be a SAML SP, for example, and get an assertion from an IDP that's suitable for both SSO and use as a grant type. Although, in current practice, I don't think IDP support for issuing such assertions is very good. And there's nothing ruling out some kind of simple proprietary exchange between the client and the assertion issuer. On Thu, Apr 5, 2012 at 7:46 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > Adam, > > It may be a self signed SAML assertion. > > That is likely the case where someone wanted to use asymmetric keys to > authenticate to the Token Endpoint. > > I could see an STS used in some cases. > > ECP is a touch unlikely unless someone was super keen. > > The client could use a Web SSO profile to get a assertion for the user if > you are using the Assertion profile for the Authorization endpoint. > > There is also a JWT token profile for assertions, you knew I couldn't > resist a plug:) > > John B. > On 2012-04-05, at 10:35 PM, Lewis Adam-CAL022 wrote: > > Hi,**** > ** ** > Reading draft-ietf-oauth-saml2-bearer-10, it states:**** > ** ** > The process by which the client obtains the SAML Assertion, prior to**** > exchanging it with the authorization server or using it for client**** > authentication, is out of scope.**** > ** ** > Accepting that it’s out of scope from the draft, what are the realistic > alternatives to obtaining the SAML assertion out of band? WS-Trust > provides a direct method to request a SAML assertion from a STS, and the > SAML ECP profiles seems to allow this behavior, but it doesn’t seem like > ECP is very well supported. What other viable means are there from a > client to directly request a SAML assertion from an assertion issuer?**** > ** ** > Tx! > adam**** > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] draft-ietf-oauth-saml2-bearer-10 quest… Lewis Adam-CAL022
- Re: [OAUTH-WG] draft-ietf-oauth-saml2-bearer-10 q… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-saml2-bearer-10 q… Brian Campbell