datatracker.ietf.org
Sign in
Version 5.12.0.p2, 2015-03-02
Report a bug

A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for SAML
draft-ietf-abfab-aaa-saml-10

Document type: Active Internet-Draft (abfab WG)
Document stream: IETF
Last updated: 2015-02-06
Intended RFC status: Unknown
Other versions: plain text, pdf, html

IETF State: WG Document Oct 2010
Document shepherd: No shepherd assigned

IESG State: I-D Exists
Responsible AD: (None)
Send notices to: No addresses provided

ABFAB                                                         J. Howlett
Internet-Draft                                                     Janet
Intended status: Informational                                S. Hartman
Expires: August 9, 2015                                Painless Security
                                                    A. Perez-Mendez, Ed.
                                                    University of Murcia
                                                        February 5, 2015

   A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and
                     Confirmation Methods for SAML
                      draft-ietf-abfab-aaa-saml-10

Abstract

   This document describes the use of the Security Assertion Mark-up
   Language (SAML) with RADIUS in the context of the ABFAB architecture.
   It defines two RADIUS attributes, a SAML binding, a SAML name
   identifier format, two SAML profiles, and two SAML confirmation
   methods.  The RADIUS attributes permit encapsulation of SAML
   assertions and protocol messages within RADIUS, allowing SAML
   entities to communicate using the binding.  The two profiles describe
   the application of this binding for ABFAB authentication and
   assertion query/request, enabling a Relying Party to request
   authentication of, or assertions for, users or machines (Clients).
   These Clients may be named using a NAI name identifier format.
   Finally, the subject confirmation methods allow requests and queries
   to be issued for a previously authenticated user or machine without
   needing to explicitly identify them as the subject.  These artifacts
   have been defined to permit application in AAA scenarios other than
   ABFAB, such as network access.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 9, 2015.

Howlett, et al.          Expires August 9, 2015                 [Page 1]
Internet-Draft                 SAML RADIUS                 February 2015

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  RADIUS SAML Attributes  . . . . . . . . . . . . . . . . . . .   4
     3.1.  SAML-Assertion attribute  . . . . . . . . . . . . . . . .   5
     3.2.  SAML-Message attribute  . . . . . . . . . . . . . . . . .   5
   4.  SAML RADIUS Binding . . . . . . . . . . . . . . . . . . . . .   6
     4.1.  Required Information  . . . . . . . . . . . . . . . . . .   6
     4.2.  Operation . . . . . . . . . . . . . . . . . . . . . . . .   7
     4.3.  Processing of names . . . . . . . . . . . . . . . . . . .   8
       4.3.1.  AAA names . . . . . . . . . . . . . . . . . . . . . .   8
       4.3.2.  SAML names  . . . . . . . . . . . . . . . . . . . . .   8
       4.3.3.  Use of XML Signatures . . . . . . . . . . . . . . . .   9
       4.3.4.  Metadata Considerations . . . . . . . . . . . . . . .   9
   5.  Network Access Identifier Name Identifier Format  . . . . . .  10
   6.  ABFAB Authentication Profile  . . . . . . . . . . . . . . . .  10
     6.1.  Required Information  . . . . . . . . . . . . . . . . . .  10
     6.2.  Profile Overview  . . . . . . . . . . . . . . . . . . . .  10
     6.3.  Profile Description . . . . . . . . . . . . . . . . . . .  12
       6.3.1.  Client Request to Relying Party . . . . . . . . . . .  12
       6.3.2.  Relying Party Issues <samlp:AuthnRequest> to Identity
               Provider  . . . . . . . . . . . . . . . . . . . . . .  13

[include full document text]