| draft-ietf-oauth-saml2-bearer-05.txt | draft-ietf-oauth-saml2-bearer-06.txt | |||
|---|---|---|---|---|
| B. Campbell, Ed. | B. Campbell, Ed. | |||
| Internet-Draft Ping Identity Corp. | Internet-Draft Ping Identity Corp. | |||
| Intended status: Standards Track C. Mortimore | Intended status: Standards Track C. Mortimore | |||
| Expires: February 2, 2012 Salesforce.com | Expires: February 2, 2012 Salesforce.com | |||
| Aug 2011 | Aug 2011 | |||
| SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 | SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 | |||
| draft-ietf-oauth-saml2-bearer-05 | draft-ietf-oauth-saml2-bearer-06 | |||
| Abstract | Abstract | |||
| This specification defines the use of a SAML 2.0 Bearer Assertion as | This specification defines the use of a SAML 2.0 Bearer Assertion as | |||
| means for requesting an OAuth 2.0 access token as well as for use as | means for requesting an OAuth 2.0 access token as well as for use as | |||
| a means of client authentication. | a means of client authentication. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 2, line 18 | skipping to change at page 2, line 18 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 | |||
| 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 | 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 | |||
| 2.1. Using SAML Assertions as Authorization Grants . . . . . . 4 | 2.1. Using SAML Assertions as Authorization Grants . . . . . . 4 | |||
| 2.2. Using SAML Assertions for Client Authentication . . . . . 4 | 2.2. Using SAML Assertions for Client Authentication . . . . . 4 | |||
| 3. Assertion Format and Processing Requirements . . . . . . . . . 5 | 3. Assertion Format and Processing Requirements . . . . . . . . . 5 | |||
| 3.1. Authorization Grant Processing . . . . . . . . . . . . . . 7 | 3.1. Authorization Grant Processing . . . . . . . . . . . . . . 7 | |||
| 3.2. Client Authentication Processing . . . . . . . . . . . . . 8 | 3.2. Client Authentication Processing . . . . . . . . . . . . . 8 | |||
| 4. Authorization Grant Example (non-normative) . . . . . . . . . 8 | 4. Authorization Grant Example (non-normative) . . . . . . . . . 8 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6.1. Sub-Namspace Registration of | 6.1. Sub-Namespace Registration of | |||
| urn:ietf:params:oauth:grant-type:saml2-bearer . . . . . . 10 | urn:ietf:params:oauth:grant-type:saml2-bearer . . . . . . 10 | |||
| 6.2. Sub-Namspace Registration of | 6.2. Sub-Namespace Registration of | |||
| urn:ietf:params:oauth:client-assertion-type:saml2-bearer . 10 | urn:ietf:params:oauth:client-assertion-type:saml2-bearer . 10 | |||
| Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 11 | Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 14 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 15 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| skipping to change at page 7, line 8 | skipping to change at page 7, line 8 | |||
| Assertion can be delivered. Verification of the Address is at | Assertion can be delivered. Verification of the Address is at | |||
| the discretion of the authorization server. | the discretion of the authorization server. | |||
| o If the Assertion issuer authenticated the subject, the Assertion | o If the Assertion issuer authenticated the subject, the Assertion | |||
| SHOULD contain a single <AuthnStatement> representing that | SHOULD contain a single <AuthnStatement> representing that | |||
| authentication event. | authentication event. | |||
| o If the Assertion was issued with the intention that the presenter | o If the Assertion was issued with the intention that the presenter | |||
| act autonomously on behalf of the subject, an <AuthnStatement> | act autonomously on behalf of the subject, an <AuthnStatement> | |||
| SHOULD NOT be included. The presenter SHOULD be identified in the | SHOULD NOT be included. The presenter SHOULD be identified in the | |||
| <NamseID> or similar element, the <SubjectConfirmation> element, | <NameID> or similar element, the <SubjectConfirmation> element, or | |||
| or by other available means like [OASIS.saml-deleg-cs]. | by other available means like [OASIS.saml-deleg-cs]. | |||
| o Other statements, in particular <AttributeStatement> elements, MAY | o Other statements, in particular <AttributeStatement> elements, MAY | |||
| be included in the Assertion. | be included in the Assertion. | |||
| o The Assertion MUST be digitally signed by the issuer and the | o The Assertion MUST be digitally signed by the issuer and the | |||
| authorization server MUST verify the signature. | authorization server MUST verify the signature. | |||
| o Encrypted elements MAY appear in place of their plain text | o Encrypted elements MAY appear in place of their plain text | |||
| counterparts as defined in [OASIS.saml-core-2.0-os]. | counterparts as defined in [OASIS.saml-core-2.0-os]. | |||
| skipping to change at page 10, line 28 | skipping to change at page 10, line 28 | |||
| 5. Security Considerations | 5. Security Considerations | |||
| No additional considerations beyond those described within the OAuth | No additional considerations beyond those described within the OAuth | |||
| 2.0 Protocol Framework [I-D.ietf.oauth-v2] and in the Security and | 2.0 Protocol Framework [I-D.ietf.oauth-v2] and in the Security and | |||
| Privacy Considerations for the OASIS Security Assertion Markup | Privacy Considerations for the OASIS Security Assertion Markup | |||
| Language (SAML) V2.0 [OASIS.saml-sec-consider-2.0-os]. | Language (SAML) V2.0 [OASIS.saml-sec-consider-2.0-os]. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| 6.1. Sub-Namspace Registration of | 6.1. Sub-Namespace Registration of | |||
| urn:ietf:params:oauth:grant-type:saml2-bearer | urn:ietf:params:oauth:grant-type:saml2-bearer | |||
| This is a request to IANA to please register the value grant- | This is a request to IANA to please register the value grant- | |||
| type:saml2-bearer in the registry urn:ietf:params:oauth established | type:saml2-bearer in the registry urn:ietf:params:oauth established | |||
| in [I-D.ietf.oauth-urn-sub-ns] | in [I-D.ietf.oauth-urn-sub-ns] | |||
| o URN: urn:ietf:params:oauth:grant-type:saml2-bearer | o URN: urn:ietf:params:oauth:grant-type:saml2-bearer | |||
| o Common Name: SAML 2.0 Bearer Assertion Grant Type Profile for | o Common Name: SAML 2.0 Bearer Assertion Grant Type Profile for | |||
| OAuth 2.0 | OAuth 2.0 | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Description: [[this document]] | o Description: [[this document]] | |||
| 6.2. Sub-Namspace Registration of | 6.2. Sub-Namespace Registration of | |||
| urn:ietf:params:oauth:client-assertion-type:saml2-bearer | urn:ietf:params:oauth:client-assertion-type:saml2-bearer | |||
| This is a request to IANA to please register the value client- | This is a request to IANA to please register the value client- | |||
| assertion-type:saml2-bearer in the registry urn:ietf:params:oauth | assertion-type:saml2-bearer in the registry urn:ietf:params:oauth | |||
| established in [I-D.ietf.oauth-urn-sub-ns] | established in [I-D.ietf.oauth-urn-sub-ns] | |||
| o URN: urn:ietf:params:oauth:client-assertion-type:saml2-bearer | o URN: urn:ietf:params:oauth:client-assertion-type:saml2-bearer | |||
| o Common Name: SAML 2.0 Bearer Assertion Profile for OAuth 2.0 | o Common Name: SAML 2.0 Bearer Assertion Profile for OAuth 2.0 | |||
| Client Authentication | Client Authentication | |||
| skipping to change at page 11, line 25 | skipping to change at page 11, line 25 | |||
| The following people contributed wording and concepts to this | The following people contributed wording and concepts to this | |||
| document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran | document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran | |||
| Hammer-Lahav, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten | Hammer-Lahav, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten | |||
| Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael | Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael | |||
| Jones, Hannes Tschofenig and David Waite. | Jones, Hannes Tschofenig and David Waite. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| draft-ietf-oauth-saml2-bearer-06 | ||||
| o Fix three typos NamseID->NameID and (2x) Namspace->Namespace | ||||
| draft-ietf-oauth-saml2-bearer-05 | draft-ietf-oauth-saml2-bearer-05 | |||
| o Allow for subject confirmation data to be optional when Conditions | o Allow for subject confirmation data to be optional when Conditions | |||
| contain audience and NotOnOrAfter | contain audience and NotOnOrAfter | |||
| o Rework most of the spec to profile draft-ietf-oauth-assertions for | o Rework most of the spec to profile draft-ietf-oauth-assertions for | |||
| both authn and authz including (but not limited to): | both authn and authz including (but not limited to): | |||
| * remove requirement for issuer to be | * remove requirement for issuer to be | |||
| urn:oasis:names:tc:SAML:2.0:nameid-format:entity | urn:oasis:names:tc:SAML:2.0:nameid-format:entity | |||
| skipping to change at page 15, line 24 | skipping to change at page 15, line 28 | |||
| Security Assertion Markup Language (SAML) V2.0", OASIS | Security Assertion Markup Language (SAML) V2.0", OASIS | |||
| Standard OASIS.saml-profiles-2.0-os, March 2005. | Standard OASIS.saml-profiles-2.0-os, March 2005. | |||
| [OASIS.saml-sec-consider-2.0-os] | [OASIS.saml-sec-consider-2.0-os] | |||
| Hirsch, F., Philpott, R., and E. Maler, "Security and | Hirsch, F., Philpott, R., and E. Maler, "Security and | |||
| Privacy Considerations for the OASIS Security Markup | Privacy Considerations for the OASIS Security Markup | |||
| Language (SAML) V2.0", OASIS Standard saml-sec-consider- | Language (SAML) V2.0", OASIS Standard saml-sec-consider- | |||
| 2.0-os, March 2005. | 2.0-os, March 2005. | |||
| [W3C.REC-html401-19991224] | [W3C.REC-html401-19991224] | |||
| Hors, A., Raggett, D., and I. Jacobs, "HTML 4.01 | Hors, A., Jacobs, I., and D. Raggett, "HTML 4.01 | |||
| Specification", World Wide Web Consortium | Specification", World Wide Web Consortium | |||
| Recommendation REC-html401-19991224, December 1999, | Recommendation REC-html401-19991224, December 1999, | |||
| <http://www.w3.org/TR/1999/REC-html401-19991224>. | <http://www.w3.org/TR/1999/REC-html401-19991224>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Brian Campbell (editor) | Brian Campbell (editor) | |||
| Ping Identity Corp. | Ping Identity Corp. | |||
| Email: brian.d.campbell@gmail.com | Email: brian.d.campbell@gmail.com | |||
| End of changes. 8 change blocks. | ||||
| 8 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||