Name Attributes for the GSS-API Extensible Authentication Protocol (EAP) Mechanism
RFC 7056
Internet Engineering Task Force (IETF) S. Hartman
Request for Comments: 7056 Painless Security
Category: Standards Track J. Howlett
ISSN: 2070-1721 JANET(UK)
December 2013
Name Attributes for the GSS-API
Extensible Authentication Protocol (EAP) Mechanism
Abstract
The naming extensions to the Generic Security Service Application
Programming Interface (GSS-API) provide a mechanism for applications
to discover authorization and personalization information associated
with GSS-API names. The Extensible Authentication Protocol GSS-API
mechanism allows an Authentication, Authorization, and Accounting
(AAA) peer to provide authorization attributes alongside an
authentication response. It also supplies mechanisms to process
Security Assertion Markup Language (SAML) messages provided in the
AAA response. This document describes how to use the Naming
Extensions API to access that information.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7056.
Hartman & Howlett Standards Track [Page 1]
RFC 7056 GSS EAP Name Attributes December 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
2. Requirements Notation ...........................................3
3. Naming Extensions and SAML ......................................3
4. Federated Context ...............................................4
5. Name Attributes for GSS-EAP .....................................5
6. Names of SAML Attributes in the Federated Context ...............6
6.1. Assertions .................................................6
6.2. SAML Attributes ............................................6
6.3. SAML Name Identifiers ......................................7
7. Security Considerations .........................................8
8. IANA Considerations .............................................8
8.1. Registration of the GSS URN Namespace ......................9
9. Acknowledgements ................................................9
10. References ....................................................10
10.1. Normative References .....................................10
10.2. Informative References ...................................11
Hartman & Howlett Standards Track [Page 2]
RFC 7056 GSS EAP Name Attributes December 2013
1. Introduction
The naming extensions [RFC6680] to the Generic Security Service
Application Programming Interface (GSS-API) [RFC2743] provide a
mechanism for applications to discover authorization and
personalization information associated with GSS-API names. The
Extensible Authentication Protocol GSS-API mechanism [RFC7055] allows
an Authentication, Authorization, and Accounting (AAA) peer to
provide authorization attributes alongside an authentication
response. It also supplies mechanisms to process Security Assertion
Markup Language (SAML) messages provided in the AAA response. Other
mechanisms such as SAML Enhanced Client (EC) [SASL-SAML] also support
SAML assertions and attributes carried in the GSS-API. This document
describes how to use the Naming Extensions API to access that
information.
The semantics of setting attributes defined in this specification are
undefined and left to future work.
2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
Show full document text