A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for the Security Assertion Markup Language (SAML)
RFC 7833
Document Type RFC - Proposed Standard (May 2016; No errata)
Last updated 2016-05-11
Stream IETF
Formats plain text pdf html bibtex
Reviews
GENART Last Call Review (of -13): Ready
SECDIR Last Call Review (of -12): Has Issues
GENART Last Call Review (of -12): Almost Ready
Stream WG state Submitted to IESG for Publication (wg milestone: Oct 2010 - Submit Internet draf... )
Document shepherd Klaas Wierenga
Shepherd write-up Show (last changed 2015-11-04)
IESG IESG state RFC 7833 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Stephen Farrell
Send notices to "Klaas Wierenga" <klaas@cisco.com>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Email authors Email WG IPR References Referenced by Nits 
Internet Engineering Task Force (IETF)                        J. Howlett
Request for Comments: 7833                                          Jisc
Category: Standards Track                                     S. Hartman
ISSN: 2070-1721                                        Painless Security
                                                    A. Perez-Mendez, Ed.
                                                    University of Murcia
                                                                May 2016

   A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and
 Confirmation Methods for the Security Assertion Markup Language (SAML)

Abstract

   This document describes the use of the Security Assertion Markup
   Language (SAML) with RADIUS in the context of the Application
   Bridging for Federated Access Beyond web (ABFAB) architecture.  It
   defines two RADIUS attributes, a SAML binding, a SAML name identifier
   format, two SAML profiles, and two SAML confirmation methods.  The
   RADIUS attributes permit encapsulation of SAML Assertions and
   protocol messages within RADIUS, allowing SAML entities to
   communicate using the binding.  The two profiles describe the
   application of this binding for ABFAB authentication and assertion
   Query/Request, enabling a Relying Party to request authentication of,
   or assertions for, users or machines (clients).  These clients may be
   named using a Network Access Identifier (NAI) name identifier format.
   Finally, the subject confirmation methods allow requests and queries
   to be issued for a previously authenticated user or machine without
   needing to explicitly identify them as the subject.  The use of the
   artifacts defined in this document is not exclusive to ABFAB.  They
   can be applied in any Authentication, Authorization, and Accounting
   (AAA) scenario, such as network access control.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7833.

Howlett, et al.              Standards Track                    [Page 1]
RFC 7833                       SAML RADIUS                      May 2016

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
      1.1. Terminology ................................................5
   2. Conventions .....................................................5
   3. RADIUS SAML Attributes ..........................................5
      3.1. SAML-Assertion Attribute ...................................6
      3.2. SAML-Protocol Attribute ....................................7
   4. SAML RADIUS Binding .............................................8
      4.1. Required Information .......................................8
      4.2. Operation ..................................................8
      4.3. Processing of Names ........................................9
           4.3.1. AAA Names ..........................................10
           4.3.2. SAML Names .........................................10
           4.3.3. Mapping of AAA Names in SAML Metadata ..............11
           4.3.4. Example of SAML Metadata That Includes AAA Names ...13
      4.4. Use of XML Signatures .....................................14
      4.5. Metadata Considerations ...................................14
   5. Network Access Identifier Name Identifier Format ...............14
   6. RADIUS State Confirmation Method Identifiers ...................15
   7. ABFAB Authentication Profile ...................................15
      7.1. Required Information ......................................15
      7.2. Profile Overview ..........................................16
      7.3. Profile Description .......................................18
           7.3.1. Client Request to Relying Party ....................18
Show full document text
ISOC IETF Trust RFC Editor IRTF IESG IETF IAB IASA & IAOC IETF Tools IANA