A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for the Security Assertion Markup Language (SAML)
draft-ietf-abfab-aaa-saml-14

[Ballot comment]
Because abfab-arch defines the terms "Client", "Relying Party", and
"Identity Provider", I think abfab-arch should be a normative reference.

-- Section 3 --

  The RADIUS SAML binding defined in Section 4 of this document uses
  two attributes to convey SAML assertions and protocol messages
  respectively [OASIS.saml-core-2.0-os]

Nit: "respectively" is out of place here, and should be removed.  You
would only use "respectively" if you named the two attributes ("...uses
two attributes, SAML-Assertion and SAML-Protocol, to convey SAML
assertions and protocol messages, respectively.").

-- Section 7.3.5 --

  If issued by the Identity Provider, the Relying Party MUST process
  the  message and any enclosed assertion elements as
  described in [OASIS.saml-core-2.0-os]

"If issued" is dangling, and  makes it look like the Relying Party is
issued by the Identity Provider.

NEW
  If a  message is issued by the Identity Provider,
  the Relying Party MUST process that message and any enclosed
  assertion elements as described in [OASIS.saml-core-2.0-os]
END

-- Section 11.2 --
Thank you; this section is well done.

[Ballot discuss]
Regarding Section 4.3.3, do we typically use IETF documents to normatively extend OASIS specs? Wanted to check since we try to keep an eye on this kind of thing when other SDOs extend/alter IETF specs.

And relatedly, the document's intended status is listed in the header as Standards Track but the shepherd write-up says:

"Informational. It could be experimental as well, but since the specification of various SAML constructs lies outside the realm of the IETF and the definition of the 2 RADIUS attributes is not really experimental, informational seems the right classification."

So I'm wondering what is going on with that.

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-abfab-aaa-saml-13.txt. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are three actions which IANA must complete.

First, Radius Attribute Types subregistry of the Radius Types registry located at:

http://www.iana.org/assignments/radius-types/

two new RADIUS attribute types are to be registered from the extended space for value 245 as follows:

Value: 245.[ TBD-at-registration ]
Description: SAML-Assertion
Reference: [ RFC-to-be ]

Value: 245.[ TBD-at-registration ]
Description: SAMLProtocol
Reference: [ RFC-to-be ]

Second, a new registry is to be created called the ABFAB Parameters registry at the top level of the IANA Matrix at:

http://www.iana.org/protocols

Registration in the new registry is through IETF Review or Expert Review as defined in RFC 5226. The new registry has initial registrations as follows:

+-------------------------+-------------------------+
| Parameter | Reference |
+-------------------------+-------------------------+
| bindings:radius | [ RFC-to-be ] Section 4 |
| nameid-format:nai | [ RFC-to-be ] Section 5 |
| profiles:authentication | [ RFC-to-be ] Section 7 |
| profiles:query | [ RFC-to-be ] Section 8 |
| cm:user | [ RFC-to-be ] Section 6 |
| cm:machine | [ RFC-to-be ] Section 6 |
+-------------------------+-------------------------+

Third, in the IETF URN Sub-namespace for Registered Protocol Parameter Identifiers subregistry of the Uniform Resource Name (URN) Namespace for IETF Use registry located at:

http://www.iana.org/assignments/params/

a new URN will be registered as follows:

Registered Parameter Identifier: abfab
Reference: [ RFC-to-be ]
IANA Registry Reference: [ TBD-at-Registration ]

IANA understands that the three actions above are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. 


Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: abfab@ietf.org, abfab-chairs@ietf.org, draft-ietf-abfab-aaa-saml@ietf.org, "Klaas Wierenga" , klaas@cisco.com, stephen.farrell@cs.tcd.ie
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for SAML) to Proposed Standard


The IESG has received a request from the Application Bridging for
Federated Access Beyond web WG (abfab) to consider the following
document:
- 'A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and
  Confirmation Methods for SAML'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-12-28. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes the use of the Security Assertion Mark-up
  Language (SAML) with RADIUS in the context of the ABFAB architecture.
  It defines two RADIUS attributes, a SAML binding, a SAML name
  identifier format, two SAML profiles, and two SAML confirmation
  methods.  The RADIUS attributes permit encapsulation of SAML
  assertions and protocol messages within RADIUS, allowing SAML
  entities to communicate using the binding.  The two profiles describe
  the application of this binding for ABFAB authentication and
  assertion query/request, enabling a Relying Party to request
  authentication of, or assertions for, users or machines (Clients).
  These Clients may be named using a NAI name identifier format.
  Finally, the subject confirmation methods allow requests and queries
  to be issued for a previously authenticated user or machine without
  needing to explicitly identify them as the subject.  The use of the
  artifacts defined in this document is not exclusive to ABFAB.  They
  can be applied in any AAA scenario, such as the network access
  control.

This is a second last call. The previous one was for this as an
informational RFC, but turns out that was an error so this repeats
the last call but for proposed standard.

There is also a normative downref  to RFC6614 which is experimental.

The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-abfab-aaa-saml/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-abfab-aaa-saml/ballot/


No IPR declarations have been submitted directly on this I-D.

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-abfab-aaa-saml-12.txt. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are three actions which IANA must complete.

First, in the Radius Attribute Types subregistry of the Radius Types registry located at:

http://www.iana.org/assignments/radius-types/

two new types are to be registered as follows:

Type Ext. Type Name Length Meaning Reference
----- ----------------------- -------------- ------ ------------------------------- ---------------
245 [ TBD-at-Registration ] SAML-Assertion >=5 Encodes a SAML assertion [ RFC-to-be ]
245 [ TBD-at-Registration ] SAML-Protocol >=5 Encodes a SAML protocol message [ RFC-to-be ]

Second, a new top-level registry is to be created in the IANA Matrix called the ABFAB Parameters registry.

In this new top-level registry a new subregistry is to be created called the ABFAB URN Parameters registry. This new subregistry is managed by IETF Review of Expert Review as defined by RFC 5226.

There are initial registrations in theis new registry as follows:

+-------------------------+--------------------------+
| Parameter | Reference |
+-------------------------+--------------------------+
| bindings:radius | Section 4, [ RFC-to-be ] |
| nameid-format:nai | Section 5, [ RFC-to-be ] |
| profiles:authentication | Section 7, [ RFC-to-be ] |
| profiles:query | Section 8, [ RFC-to-be ] |
| cm:user | Section 6, [ RFC-to-be ] |
| cm:machine | Section 6, [ RFC-to-be ] |
+-------------------------+--------------------------+

Third, in the IETF URN Sub-namespace for Registered Protocol Parameter Identifiers subregistry of the Uniform Resource Name (URN) Namespace for IETF Use registry, a single new identifier is to be registered as follows:

Registered Parameter Identifier: abfab
Reference: [ RFC-to-be ]
IANA Registry Reference: [ TBD-at-Registration ]

IANA understands that these three actions are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. 

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: abfab@ietf.org, abfab-chairs@ietf.org, draft-ietf-abfab-aaa-saml@ietf.org, "Klaas Wierenga" , klaas@cisco.com, stephen.farrell@cs.tcd.ie
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for SAML) to Informational RFC


The IESG has received a request from the Application Bridging for
Federated Access Beyond web WG (abfab) to consider the following
document:
- 'A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and
  Confirmation Methods for SAML'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-12-04. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes the use of the Security Assertion Mark-up
  Language (SAML) with RADIUS in the context of the ABFAB architecture.
  It defines two RADIUS attributes, a SAML binding, a SAML name
  identifier format, two SAML profiles, and two SAML confirmation
  methods.  The RADIUS attributes permit encapsulation of SAML
  assertions and protocol messages within RADIUS, allowing SAML
  entities to communicate using the binding.  The two profiles describe
  the application of this binding for ABFAB authentication and
  assertion query/request, enabling a Relying Party to request
  authentication of, or assertions for, users or machines (Clients).
  These Clients may be named using a NAI name identifier format.
  Finally, the subject confirmation methods allow requests and queries
  to be issued for a previously authenticated user or machine without
  needing to explicitly identify them as the subject.  These artifacts
  have been defined to permit application in AAA scenarios other than
  ABFAB, such as network access.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-abfab-aaa-saml/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-abfab-aaa-saml/ballot/


No IPR declarations have been submitted directly on this I-D.

The reference to RFC3588 should be to 6733. That'll be fixed
later.

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

Informational. It could be experimental as well, but since the specification of various SAML constructs lies outside the realm of the IETF and the definition of the 2 RADIUS attributes is not really experimental, informational seems the right classification. Yes

(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary:

The document describes the use of the Security Assertion Mark-up
  Language (SAML) with RADIUS in the context of the ABFAB architecture.
  It defines two RADIUS attributes, a SAML binding, a SAML name
  identifier format, two SAML profiles, and two SAML confirmation
  methods.  The RADIUS attributes permit encapsulation of SAML
  assertions and protocol messages within RADIUS, allowing SAML
  entities to communicate using the binding.  The two profiles describe
  the application of this binding for ABFAB authentication and
  assertion query/request, enabling a Relying Party to request
  authentication of, or assertions for, users or machines (Clients).
  These Clients may be named using a NAI name identifier format.
  Finally, the subject confirmation methods allow requests and queries
  to be issued for a previously authenticated user or machine without
  needing to explicitly identify them as the subject.  These artifacts
  have been defined to permit application in AAA scenarios other than
  ABFAB, such as network access.

Working Group Summary:

This document had a few false starts before it really got traction. That has resulted in a rather lengthy process to get going. The challenge was getting the right set of experts on RADIUS and SAML together, now consensus is strong that this is the right approach.

Document Quality:

There is as far as I know 1 implementation of the protocol. At this stage there are no indications for wide industry take-up.
Special mention deserves Scott Cantor (editor of the SAML2.0 spec and member of OASIS SSTC) for doing a thorough review and guide the authors on the SAML side.

Personnel:

Document Shepherd: Klaas Wierenga
Responsible Area Director: Stephen Farrell

(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

I have reread the latest version of the document, verified that all comments on the list were satisfactory addressed and that the document as a whole was consisten and methodical.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

The depth of the reviews are satisfactory, with Scott Cantor on the SAML aspects, Sam Hartman on GSS and Alan deKok for RADIUS I believe we have excellent reviewers. I would have like a bit more breadth, but have confidence that with the reviews we got the document is sufficiently mature and vetted.

(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

No additional specific review in addition to the ones done is needed.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

None

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why?

Yes

(8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

No

(9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

As usual, there are a few individuals that drive the discussions, but I believe that there is strong consensus that this is the right approach.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

No

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

there are a few too long line warnings and mention that the informational reference for the DIAMETER base protocol points to RFC 3588 that is obsoleted by RFC 6733. Those need to be fixed.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

I am not aware of any formal review criteria that need to be met apart from the IANA registration.

(13) Have all references within this document been identified as either normative or informative?

yes

(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

no


(15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

No

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary.

No

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

I have verified that all IANA registry required elements are being called out and sufficiently described in the IANA section.

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

I don't expect future allocations

(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

I have not reviewed in detail the XML code snippets that describe the SAML interactions, but this was performed by Scott Cantor.