A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for SAML
draft-ietf-abfab-aaa-saml-14

Document Type Active Internet-Draft (abfab WG)
Last updated 2016-01-15 (latest revision 2016-01-11)
Stream IETF
Intended RFC status Proposed Standard
Formats plain text pdf html bibtex
Stream WG state Submitted to IESG for Publication Oct 2010
Document shepherd Klaas Wierenga
Shepherd write-up Show (last changed 2015-11-04)
IESG IESG state RFC Ed Queue
Consensus Yes
Telechat date
Responsible AD Stephen Farrell
Send notices to "Klaas Wierenga" <klaas@cisco.com>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
RFC Editor RFC Editor state AUTH48-DONE
ABFAB                                                         J. Howlett
Internet-Draft                                                     Janet
Intended status: Standards Track                              S. Hartman
Expires: July 14, 2016                                 Painless Security
                                                    A. Perez-Mendez, Ed.
                                                    University of Murcia
                                                        January 11, 2016

   A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and
                     Confirmation Methods for SAML
                      draft-ietf-abfab-aaa-saml-14

Abstract

   This document describes the use of the Security Assertion Mark-up
   Language (SAML) with RADIUS in the context of the ABFAB architecture.
   It defines two RADIUS attributes, a SAML binding, a SAML name
   identifier format, two SAML profiles, and two SAML confirmation
   methods.  The RADIUS attributes permit encapsulation of SAML
   assertions and protocol messages within RADIUS, allowing SAML
   entities to communicate using the binding.  The two profiles describe
   the application of this binding for ABFAB authentication and
   assertion query/request, enabling a Relying Party to request
   authentication of, or assertions for, users or machines (Clients).
   These Clients may be named using a NAI name identifier format.
   Finally, the subject confirmation methods allow requests and queries
   to be issued for a previously authenticated user or machine without
   needing to explicitly identify them as the subject.  The use of the
   artifacts defined in this document is not exclusive to ABFAB.  They
   can be applied in any AAA scenario, such as the network access
   control.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Howlett, et al.           Expires July 14, 2016                 [Page 1]
Internet-Draft                 SAML RADIUS                  January 2016

   This Internet-Draft will expire on July 14, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Conventions . . . . . . . . . . . . . . . . . . . . . . . . .   5
   3.  RADIUS SAML Attributes  . . . . . . . . . . . . . . . . . . .   5
     3.1.  SAML-Assertion attribute  . . . . . . . . . . . . . . . .   5
     3.2.  SAML-Protocol attribute . . . . . . . . . . . . . . . . .   6
   4.  SAML RADIUS Binding . . . . . . . . . . . . . . . . . . . . .   7
     4.1.  Required Information  . . . . . . . . . . . . . . . . . .   7
     4.2.  Operation . . . . . . . . . . . . . . . . . . . . . . . .   7
     4.3.  Processing of names . . . . . . . . . . . . . . . . . . .   9
       4.3.1.  AAA names . . . . . . . . . . . . . . . . . . . . . .   9
       4.3.2.  SAML names  . . . . . . . . . . . . . . . . . . . . .   9
       4.3.3.  Mapping of AAA names in SAML metadata . . . . . . . .  10
       4.3.4.  Example of SAML metadata including AAA names  . . . .  12
     4.4.  Use of XML Signatures . . . . . . . . . . . . . . . . . .  13
     4.5.  Metadata Considerations . . . . . . . . . . . . . . . . .  13
   5.  Network Access Identifier Name Identifier Format  . . . . . .  13
   6.  RADIUS State Confirmation Method Identifiers  . . . . . . . .  13
   7.  ABFAB Authentication Profile  . . . . . . . . . . . . . . . .  14
     7.1.  Required Information  . . . . . . . . . . . . . . . . . .  14
Show full document text