datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for SAML
draft-ietf-abfab-aaa-saml-09

Document type: Active Internet-Draft (abfab WG)
Document stream: IETF
Last updated: 2014-02-14
Intended RFC status: Unknown
Other versions: plain text, xml, pdf, html

IETF State: WG Document Oct 2010
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: I-D Exists
Responsible AD: (None)
Send notices to: No addresses provided

ABFAB                                                         J. Howlett
Internet-Draft                                                     Janet
Intended status: Informational                                S. Hartman
Expires: August 18, 2014                               Painless Security
                                                       February 14, 2014

   A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and
                     Confirmation Methods for SAML
                      draft-ietf-abfab-aaa-saml-09

Abstract

   This document describes the use of the Security Assertion Mark-up
   Language (SAML) with RADIUS in the context of the ABFAB architecture.
   It defines two RADIUS attributes, a SAML binding, a SAML name
   identifier format, two SAML profiles, and two SAML confirmation
   methods.  The RADIUS attributes permit encapsulation of SAML
   assertions and protocol messages within RADIUS, allowing SAML
   entities to communicate using the binding.  The two profiles describe
   the application of this binding for ABFAB authentication and
   assertion query/request, enabling a Relying Party to request
   authentication of, or assertions for, user or machine principals.
   These principals may be named using an NAI name identifier format.
   Finally, the subject confirmation methods allow requests and queries
   to be issued for a previously authenticated user or machine without
   needing to explicitly identify them as the subject.  These artifacts
   have been defined to permit application in AAA scenarios other than
   ABFAB, such as network access.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 18, 2014.

Copyright Notice

Howlett & Hartman        Expires August 18, 2014                [Page 1]
Internet-Draft                 SAML RADIUS                 February 2014

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  TODO . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Conventions  . . . . . . . . . . . . . . . . . . . . . . . . .  5
   4.  RADIUS SAML Attributes . . . . . . . . . . . . . . . . . . . .  5
   5.  SAML RADIUS Binding  . . . . . . . . . . . . . . . . . . . . .  6
     5.1.  Required Information . . . . . . . . . . . . . . . . . . .  6
     5.2.  Operation  . . . . . . . . . . . . . . . . . . . . . . . .  6
     5.3.  Processing of names  . . . . . . . . . . . . . . . . . . .  7
       5.3.1.  AAA names  . . . . . . . . . . . . . . . . . . . . . .  8
       5.3.2.  SAML names . . . . . . . . . . . . . . . . . . . . . .  8
       5.3.3.  Use of XML Signatures  . . . . . . . . . . . . . . . .  8
       5.3.4.  Metadata Considerations  . . . . . . . . . . . . . . .  9
   6.  Network Access Identifier Name Identifier Format . . . . . . .  9
   7.  ABFAB Authentication Profile . . . . . . . . . . . . . . . . .  9
     7.1.  Required Information . . . . . . . . . . . . . . . . . . .  9
     7.2.  Profile Overview . . . . . . . . . . . . . . . . . . . . . 10
     7.3.  Profile Description  . . . . . . . . . . . . . . . . . . . 12
       7.3.1.  User Agent Request to Relying Party  . . . . . . . . . 12
       7.3.2.  Relying Party Issues <samlp:AuthnRequest> to
               Identity Provider  . . . . . . . . . . . . . . . . . . 12
       7.3.3.  Identity Provider Identifies Principal . . . . . . . . 12
       7.3.4.  Identity Provider Issues <samlp:Response> to
               Relying Party  . . . . . . . . . . . . . . . . . . . . 13

[include full document text]