1 / 10

draft- ietf - abfab-aaa-saml

draft- ietf - abfab-aaa-saml. Josh Howlett, JANET IETF 82. Abfab Authentication Profile & Abfab Assertion Request Profile. SAML RADIUS binding & SAML RADIUS attribute. In SAML, bindings typically use HTTP or SOAP transport. ABFAB is defining a RADIUS binding. SAML RADIUS Attribute.

will
Download Presentation

draft- ietf - abfab-aaa-saml

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82

  2. Abfab Authentication Profile & Abfab Assertion Request Profile SAML RADIUS binding & SAML RADIUS attribute In SAML, bindings typically use HTTP or SOAP transport. ABFAB is defining a RADIUS binding.

  3. SAML RADIUS Attribute 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | SAML Message... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  4. SAML RADIUS Binding • SAML requester is RADIUS client / RP • SAML responder is RADIUS server / IdP • SAML protocol message is encapsulated within (and fragmented across multiple instances of) the SAML RADIUS attribute • NAI is used to route RADIUS messages from the SAML requester towards the SAML responder • Attribute is currently defined independently of the Binding, to facilitate use in other contexts – is that actually useful, or a complication?

  5. Abfab Authentication Profile • A profile of the SAML Authentication Request Protocol that uses the SAML RADIUS binding

  6. Abfab Assertion Request Profile • TODO • Intend to specify a profile of SAML “Assertion Query and Request Protocol” using the SAML RADIUS binding • Requirements • Request assertion from authentication IdP, after authentication • Request assertions from other attribute sources

  7. Issue: document name • Name includes “aaa”, but only discusses RADIUS • Currently named “A RADIUS Attribute, Binding and Profiles for SAML” • Sufficient?

  8. Issue: signatures • Use of SAML signatures • Profile (but not binding) currently prohibits use of SAML signatures • Encourage use of transport integrity protection, reducing deployment complexity • Reduce size of SAML messages • Limited support • Proposal: require NASes to default NOT to check signatures; and indicate that signatures are not required

  9. Issue: SAML payload size • RADIUS message MTU of 4kb, but SAML messages can be arbitrarily large • Option 1: Do nothing • Option 2: If >4kb, advise deployments to use Diameter • Option 3: Use a SAML SOAP-based transaction to request attributes or resolve an artifact • Option 4: Develop a RADIUS-based mechanism to fragment large payloads over multiple RADIUS messages

  10. Todo • Fix various nits • Define attribute request profile

More Related