RE: [Sip]: SIP and SAML

["Hannes Tschofenig" <Hannes.Tschofenig@siemens.com>]

hi stefan, 

thanks for pointing to this important issue. we are currently working on a
draft update. we try to incorporate the issues presented in san diego (see
http://www.softarmor.com/sipwg/meets/ietf60/slides/pres-ietf60-sip-saml-tsch
ofenig.ppt). one of the open issues is related to reference integrity. we
also had a discussion on this issue. since you raised this issue i will give
some more insights in our off-line discussions. 

it is true that we mentioned in
http://www.ietf.org/internet-drafts/draft-tschofenig-sip-saml-00.txt that we
do not aim to create a solution for single sign-on (sso). 

unfortunately, the term 'single sign-on' is somewhat loosely defined. there
i have two answers for you:

first answer: 

in section 4.5 of draft-ietf-sipping-trait-authz-00.txt (trait-based authz
requirements draft) we describe a scenario where different protocols are
linked together using saml assertions. we use an example where we associate
a sip signaling protocol run and a qos signaling protocol. however, the
scenario is more generic in the sense that an arbitrary protocol can be
linked together with sip. if you call this "single sign-on" then this is
certainly in scope of our work. the current sip-saml draft supports such a
scenario. there are, however, some issues with reference integrity. this
issue will be treated in more detail in second answer.  

second answer: 

there is a difference between the usage of saml in http and sip. section 5
talks about a problem where a sip proxy can reuse an obtained saml assertion
to impersonate a user in future protocol runs. this problem has a direct
relationship to your question. 

a few solutions exist to address this problem:

1) you can delete this problem by assuming that all sip proxies are
trustworthy and do not act maliciously. 

2) the current draft talks about binding the saml assertion to a particular
sip session (see paragraphs mentioning the concept of reference integrity).
binding a saml assertion to a sip session means that 
  a) you compute a hash over a number of sip fields (see also
draft-ietf-sip-identity and draft-ietf-sip-authid-body)  
  b) include this hash into the saml assertion
  c) compute a digital signature 
this procedure has to be done by the authentication service. 

now, the main question is which fields to include in the hash. if you
include information such as the call-id then the assertion is only valid for
a particular sip session. if you only include the from,to field then the
assertion is valid for sip sessions between the two indicated entities
(typically for given timeframe - as specified in the validity of the saml
assertion). 

depending what you call single sign-on there might indeed be a problem. 

there is no reason to be disappointed. during a discussion with bob morgan
(one of the saml authors) at the last ietf he pointed me to the
holder-of-the-key assertion to deal with reference integrity in a better
way. the idea is the following: instead of using reference integrity with an
enhancement to the conditions extension point the holder-of-the-key
assertion allows to bind a key to the assertion. as a result, the end host
which was quite passive with the previous approach can be turned into an
active participant. obviously this considerably improves security (with the
drawback of adding some complexity to it).  

although we discussed this issue among the authors we haven't reached a
conclusion on it. 

the usage of saml in sip might heavily be scenario dependend. this means
that one solution might not fit in all cases. hence, i personally see only
the following options: 
- we do not strictly mandate which fields the authentication service has to
include into the hash function in order to gurantee reference integrity.  
- we additionally allow the usage of the holder-of-the-key assertion

ciao
hannes


> -----Original Message-----
> From: Goeman Stefan [mailto:Stefan.Goeman@siemens.com] 
> Sent: Mittwoch, 22. September 2004 10:31
> To: 'sip@ietf.org'
> Subject: [Sip]: SIP and SAML 
> 
> Hello, 
> 
> I was wondering if somebody already reviewed the ID 
> draft-tschofenig-sip-saml-00.txt. 
> 
> This draft explicitly mentions that its main goal is not to 
> realize single sign-on (SSO) functionality as in HTTP. 
> However, I wonder if it would not be a good idea to realize 
> SSO functionality with SAML in SIP. Right now, 3GPP has 
> defined IMS-AKA.
> This procedure authenticates the end-user when sending an 
> initial SIP Register request to the P-CSCF. It must be noted 
> that this is an MNO-centric approach; the MNO owning both a 
> wireless access network and an IMS domain. 
> 
> However, it is not unthinkable that in the future there will 
> exist entities that will only operate an IMS domain. In this 
> case, end-users will be authenticated by the (wireless) 
> access network provider. Then, I believe it makes sense that 
> the access network provider would provide SAML assertions to 
> the IMS operator providing information on the authentication 
> status of the end-user. 
> 
> How this should be done is unclear to me; I do have some 
> initial ideas though. 
> 
> Anybody willing to comment? 
> 
> Thanks in advance! 
> 
> Greetings,
> Stefan. 
> 
> 
> Stefan Goeman
> SIEMENS ICM/ICN
>  <mailto:Stefan.Goeman@siemens.atea.be> Stefan.Goeman@siemens.com 
>         
> 
> 


_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip