A Simple Authentication and Security Layer (SASL) and GSS-API Mechanism for the Security Assertion Markup Language (SAML)
RFC 6595
|
Document |
Type |
|
RFC - Proposed Standard
(April 2012; No errata)
|
|
Last updated |
|
2015-10-14
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
html
pdf
htmlized
bibtex
|
Stream |
WG state
|
|
WG Document
|
|
Document shepherd |
|
No shepherd assigned
|
IESG |
IESG state |
|
RFC 6595 (Proposed Standard)
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
Stephen Farrell
|
|
IESG note |
|
The document shepherd for this document is Shawn Emery (shawn.emery@oracle.com).
|
|
Send notices to |
|
(None)
|
Internet Engineering Task Force (IETF) K. Wierenga
Request for Comments: 6595 Cisco Systems, Inc.
Category: Standards Track E. Lear
ISSN: 2070-1721 Cisco Systems GmbH
S. Josefsson
SJD AB
April 2012
A Simple Authentication and Security Layer (SASL) and GSS-API Mechanism
for the Security Assertion Markup Language (SAML)
Abstract
The Security Assertion Markup Language (SAML) has found its usage on
the Internet for Web Single Sign-On. The Simple Authentication and
Security Layer (SASL) and the Generic Security Service Application
Program Interface (GSS-API) are application frameworks to generalize
authentication. This memo specifies a SASL mechanism and a GSS-API
mechanism for SAML 2.0 that allows the integration of existing SAML
Identity Providers with applications using SASL and GSS-API.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6595.
Wierenga, et al. Standards Track [Page 1]
RFC 6595 A SASL and GSS-API Mechanism for SAML April 2012
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Terminology ................................................4
1.2. Applicability ..............................................4
2. Authentication Flow .............................................5
3. SAML SASL Mechanism Specification ...............................7
3.1. Initial Response ...........................................8
3.2. Authentication Request .....................................8
3.3. Outcome and Parameters .....................................9
4. SAML GSS-API Mechanism Specification ...........................10
4.1. GSS-API Principal Name Types for SAML .....................11
5. Examples .......................................................11
5.1. XMPP ......................................................11
5.2. IMAP ......................................................15
6. Security Considerations ........................................17
6.1. Man-in-the-Middle and Tunneling Attacks ...................17
6.2. Binding SAML Subject Identifiers to Authorization
Identities ................................................17
6.3. User Privacy ..............................................18
6.4. Collusion between RPs .....................................18
6.5. Security Considerations Specific to GSS-API ...............18
7. IANA Considerations ............................................18
7.1. IANA Mech-Profile .........................................18
7.2. IANA OID ..................................................19
8. References .....................................................19
8.1. Normative References ......................................19
8.2. Informative References ....................................21
Appendix A. Acknowledgments .......................................22
Wierenga, et al. Standards Track [Page 2]
RFC 6595 A SASL and GSS-API Mechanism for SAML April 2012
1. Introduction
Security Assertion Markup Language (SAML) 2.0 [OASIS-SAMLv2-CORE] is
a set of specifications that provide various means for a user to be
identified to a Relying Party (RP) through the exchange of (typically
signed) assertions issued by an Identity Provider (IdP). It includes
Show full document text