| draft-ietf-oauth-saml2-bearer-23.txt | rfc7522.txt | |||
|---|---|---|---|---|
| OAuth Working Group B. Campbell | Internet Engineering Task Force (IETF) B. Campbell | |||
| Internet-Draft Ping Identity | Request for Comments: 7522 Ping Identity | |||
| Intended status: Standards Track C. Mortimore | Category: Standards Track C. Mortimore | |||
| Expires: May 16, 2015 Salesforce | ISSN: 2070-1721 Salesforce | |||
| M. Jones | M. Jones | |||
| Microsoft | Microsoft | |||
| November 12, 2014 | May 2015 | |||
| SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization | Security Assertion Markup Language (SAML) 2.0 Profile | |||
| Grants | for OAuth 2.0 Client Authentication and Authorization Grants | |||
| draft-ietf-oauth-saml2-bearer-23 | ||||
| Abstract | Abstract | |||
| This specification defines the use of a Security Assertion Markup | This specification defines the use of a Security Assertion Markup | |||
| Language (SAML) 2.0 Bearer Assertion as a means for requesting an | Language (SAML) 2.0 Bearer Assertion as a means for requesting an | |||
| OAuth 2.0 access token as well as for use as a means of client | OAuth 2.0 access token as well as for client authentication. | |||
| authentication. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 5741. | ||||
| This Internet-Draft will expire on May 16, 2015. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| http://www.rfc-editor.org/info/rfc7522. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 24 | skipping to change at page 2, line 21 | |||
| 2.1. Using SAML Assertions as Authorization Grants . . . . . . 4 | 2.1. Using SAML Assertions as Authorization Grants . . . . . . 4 | |||
| 2.2. Using SAML Assertions for Client Authentication . . . . . 5 | 2.2. Using SAML Assertions for Client Authentication . . . . . 5 | |||
| 3. Assertion Format and Processing Requirements . . . . . . . . 6 | 3. Assertion Format and Processing Requirements . . . . . . . . 6 | |||
| 3.1. Authorization Grant Processing . . . . . . . . . . . . . 8 | 3.1. Authorization Grant Processing . . . . . . . . . . . . . 8 | |||
| 3.2. Client Authentication Processing . . . . . . . . . . . . 9 | 3.2. Client Authentication Processing . . . . . . . . . . . . 9 | |||
| 4. Authorization Grant Example . . . . . . . . . . . . . . . . . 9 | 4. Authorization Grant Example . . . . . . . . . . . . . . . . . 9 | |||
| 5. Interoperability Considerations . . . . . . . . . . . . . . . 11 | 5. Interoperability Considerations . . . . . . . . . . . . . . . 11 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8.1. Sub-Namespace Registration of urn:ietf:params:oauth | 8.1. Sub-Namespace Registration of | |||
| :grant-type:saml2-bearer . . . . . . . . . . . . . . . . 12 | urn:ietf:params:oauth:grant-type:saml2-bearer . . . . . . 12 | |||
| 8.2. Sub-Namespace Registration of urn:ietf:params:oauth | 8.2. Sub-Namespace Registration of | |||
| :client-assertion-type:saml2-bearer . . . . . . . . . . . 12 | urn:ietf:params:oauth:client-assertion-type:saml2-bearer 13 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 14 | 9.2. Informative References . . . . . . . . . . . . . . . . . 14 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 | ||||
| 1. Introduction | 1. Introduction | |||
| The Security Assertion Markup Language (SAML) 2.0 | The Security Assertion Markup Language (SAML) 2.0 | |||
| [OASIS.saml-core-2.0-os] is an XML-based framework that allows | [OASIS.saml-core-2.0-os] is an XML-based framework that allows | |||
| identity and security information to be shared across security | identity and security information to be shared across security | |||
| domains. The SAML specification, while primarily targeted at | domains. The SAML specification, while primarily targeted at | |||
| providing cross domain Web browser single sign-on, was also designed | providing cross domain Web browser single sign-on (SSO), was also | |||
| to be modular and extensible to facilitate use in other contexts. | designed to be modular and extensible to facilitate use in other | |||
| contexts. | ||||
| The Assertion, an XML security token, is a fundamental construct of | The Assertion, an XML security token, is a fundamental construct of | |||
| SAML that is often adopted for use in other protocols and | SAML that is often adopted for use in other protocols and | |||
| specifications. (Some examples include [OASIS.WSS-SAMLTokenProfile] | specifications. (Some examples include [OASIS.WSS-SAMLTokenProfile] | |||
| and [OASIS.WS-Fed].) An Assertion is generally issued by an identity | and [OASIS.WS-Fed].) An Assertion is generally issued by an Identity | |||
| provider and consumed by a service provider who relies on its content | Provider and consumed by a Service Provider that relies on its | |||
| to identify the Assertion's subject for security related purposes. | content to identify the Assertion's subject for security-related | |||
| purposes. | ||||
| The OAuth 2.0 Authorization Framework [RFC6749] provides a method for | The OAuth 2.0 Authorization Framework [RFC6749] provides a method for | |||
| making authenticated HTTP requests to a resource using an access | making authenticated HTTP requests to a resource using an access | |||
| token. Access tokens are issued to third-party clients by an | token. Access tokens are issued to third-party clients by an | |||
| authorization server (AS) with the (sometimes implicit) approval of | authorization server (AS) with the (sometimes implicit) approval of | |||
| the resource owner. In OAuth, an authorization grant is an abstract | the resource owner. In OAuth, an authorization grant is an abstract | |||
| term used to describe intermediate credentials that represent the | term used to describe intermediate credentials that represent the | |||
| resource owner authorization. An authorization grant is used by the | resource owner authorization. An authorization grant is used by the | |||
| client to obtain an access token. Several authorization grant types | client to obtain an access token. Several authorization grant types | |||
| are defined to support a wide range of client types and user | are defined to support a wide range of client types and user | |||
| experiences. OAuth also allows for the definition of new extension | experiences. OAuth also allows for the definition of new extension | |||
| grant types to support additional clients or to provide a bridge | grant types to support additional clients or to provide a bridge | |||
| between OAuth and other trust frameworks. Finally, OAuth allows the | between OAuth and other trust frameworks. Finally, OAuth allows the | |||
| definition of additional authentication mechanisms to be used by | definition of additional authentication mechanisms to be used by | |||
| clients when interacting with the authorization server. | clients when interacting with the authorization server. | |||
| The Assertion Framework for OAuth 2.0 Client Authentication and | "Assertion Framework for OAuth 2.0 Client Authentication and | |||
| Authorization Grants [I-D.ietf-oauth-assertions] specification is an | Authorization Grants" [RFC7521] is an abstract extension to OAuth 2.0 | |||
| abstract extension to OAuth 2.0 that provides a general framework for | that provides a general framework for the use of assertions as client | |||
| the use of Assertions as client credentials and/or authorization | credentials and/or authorization grants with OAuth 2.0. This | |||
| grants with OAuth 2.0. This specification profiles the Assertion | specification profiles the OAuth Assertion Framework [RFC7521] to | |||
| Framework for OAuth 2.0 Client Authentication and Authorization | define an extension grant type that uses a SAML 2.0 Bearer Assertion | |||
| Grants [I-D.ietf-oauth-assertions] specification to define an | to request an OAuth 2.0 access token as well as for use as client | |||
| extension grant type that uses a SAML 2.0 Bearer Assertion to request | credentials. The format and processing rules for the SAML Assertion | |||
| an OAuth 2.0 access token as well as for use as client credentials. | defined in this specification are intentionally similar, though not | |||
| The format and processing rules for the SAML Assertion defined in | identical, to those in the Web Browser SSO profile defined in the | |||
| this specification are intentionally similar, though not identical, | SAML Profiles [OASIS.saml-profiles-2.0-os] specification. This | |||
| to those in the Web Browser SSO Profile defined in the SAML Profiles | specification is reusing, to the extent reasonable, concepts and | |||
| [OASIS.saml-profiles-2.0-os] specification. This specification is | patterns from that well-established profile. | |||
| reusing, to the extent reasonable, concepts and patterns from that | ||||
| well-established Profile. | ||||
| This document defines how a SAML Assertion can be used to request an | This document defines how a SAML Assertion can be used to request an | |||
| access token when a client wishes to utilize an existing trust | access token when a client wishes to utilize an existing trust | |||
| relationship, expressed through the semantics of (and digital | relationship, expressed through the semantics of the SAML Assertion, | |||
| signature or keyed message digest calculated over) the SAML | without a direct user approval step at the authorization server. It | |||
| Assertion, without a direct user approval step at the authorization | also defines how a SAML Assertion can be used as a client | |||
| server. It also defines how a SAML Assertion can be used as a client | ||||
| authentication mechanism. The use of an Assertion for client | authentication mechanism. The use of an Assertion for client | |||
| authentication is orthogonal to and separable from using an Assertion | authentication is orthogonal to and separable from using an Assertion | |||
| as an authorization grant. They can be used either in combination or | as an authorization grant. They can be used either in combination or | |||
| separately. Client assertion authentication is nothing more than an | separately. Client assertion authentication is nothing more than an | |||
| alternative way for a client to authenticate to the token endpoint | alternative way for a client to authenticate to the token endpoint, | |||
| and must be used in conjunction with some grant type to form a | and it must be used in conjunction with some grant type to form a | |||
| complete and meaningful protocol request. Assertion authorization | complete and meaningful protocol request. Assertion authorization | |||
| grants may be used with or without client authentication or | grants may be used with or without client authentication or | |||
| identification. Whether or not client authentication is needed in | identification. Whether or not client authentication is needed in | |||
| conjunction with an assertion authorization grant, as well as the | conjunction with an assertion authorization grant, as well as the | |||
| supported types of client authentication, are policy decisions at the | supported types of client authentication, are policy decisions at the | |||
| discretion of the authorization server. | discretion of the authorization server. | |||
| The process by which the client obtains the SAML Assertion, prior to | The process by which the client obtains the SAML Assertion, prior to | |||
| exchanging it with the authorization server or using it for client | exchanging it with the authorization server or using it for client | |||
| authentication, is out of scope. | authentication, is out of scope. | |||
| skipping to change at page 4, line 22 | skipping to change at page 4, line 16 | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| Unless otherwise noted, all the protocol parameter names and values | Unless otherwise noted, all the protocol parameter names and values | |||
| are case sensitive. | are case sensitive. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| All terms are as defined in The OAuth 2.0 Authorization Framework | All terms are as defined in the following specifications: "The OAuth | |||
| [RFC6749], the Assertion Framework for OAuth 2.0 Client | 2.0 Authorization Framework" [RFC6749], the OAuth Assertion Framework | |||
| Authentication and Authorization Grants [I-D.ietf-oauth-assertions], | [RFC7521], and "Assertions and Protocols for the OASIS Security | |||
| and the Security Assertion Markup Language (SAML) 2.0 | Assertion Markup Language (SAML) V2.0" [OASIS.saml-core-2.0-os]. | |||
| [OASIS.saml-core-2.0-os] specifications. | ||||
| 2. HTTP Parameter Bindings for Transporting Assertions | 2. HTTP Parameter Bindings for Transporting Assertions | |||
| The Assertion Framework for OAuth 2.0 Client Authentication and | The OAuth Assertion Framework [RFC7521] defines generic HTTP | |||
| Authorization Grants [I-D.ietf-oauth-assertions] specification | parameters for transporting assertions during interactions with a | |||
| defines generic HTTP parameters for transporting Assertions during | token endpoint. This section defines specific parameters and | |||
| interactions with a token endpoint. This section defines specific | treatments of those parameters for use with SAML 2.0 Bearer | |||
| parameters and treatments of those parameters for use with SAML 2.0 | Assertions. | |||
| Bearer Assertions. | ||||
| 2.1. Using SAML Assertions as Authorization Grants | 2.1. Using SAML Assertions as Authorization Grants | |||
| To use a SAML Bearer Assertion as an authorization grant, the client | To use a SAML Bearer Assertion as an authorization grant, the client | |||
| uses an access token request as defined in Section 4 of the Assertion | uses an access token request as defined in Section 4 of the OAuth | |||
| Framework for OAuth 2.0 Client Authentication and Authorization | Assertion Framework [RFC7521] with the following specific parameter | |||
| Grants [I-D.ietf-oauth-assertions] specification with the following | values and encodings. | |||
| specific parameter values and encodings. | ||||
| The value of the "grant_type" parameter is | The value of the "grant_type" parameter is | |||
| "urn:ietf:params:oauth:grant-type:saml2-bearer". | "urn:ietf:params:oauth:grant-type:saml2-bearer". | |||
| The value of the "assertion" parameter contains a single SAML 2.0 | The value of the "assertion" parameter contains a single SAML 2.0 | |||
| Assertion. It MUST NOT contain more than one SAML 2.0 assertion. | Assertion. It MUST NOT contain more than one SAML 2.0 Assertion. | |||
| The SAML Assertion XML data MUST be encoded using base64url, where | The SAML Assertion XML data MUST be encoded using base64url, where | |||
| the encoding adheres to the definition in Section 5 of RFC 4648 | the encoding adheres to the definition in Section 5 of RFC 4648 | |||
| [RFC4648] and where the padding bits are set to zero. To avoid the | [RFC4648] and where the padding bits are set to zero. To avoid the | |||
| need for subsequent encoding steps (by "application/x-www-form- | need for subsequent encoding steps (by "application/x-www-form- | |||
| urlencoded" [W3C.REC-html401-19991224], for example), the base64url | urlencoded" [W3C.REC-html401-19991224], for example), the base64url- | |||
| encoded data MUST NOT be line wrapped and pad characters ("=") MUST | encoded data MUST NOT be line wrapped and pad characters ("=") MUST | |||
| NOT be included. | NOT be included. | |||
| The "scope" parameter may be used, as defined in the Assertion | The "scope" parameter may be used, as defined in the OAuth Assertion | |||
| Framework for OAuth 2.0 Client Authentication and Authorization | Framework [RFC7521], to indicate the requested scope. | |||
| Grants [I-D.ietf-oauth-assertions] specification, to indicate the | ||||
| requested scope. | ||||
| Authentication of the client is optional, as described in | Authentication of the client is optional, as described in | |||
| Section 3.2.1 of OAuth 2.0 [RFC6749] and consequently, the | Section 3.2.1 of OAuth 2.0 [RFC6749] and consequently, the | |||
| "client_id" is only needed when a form of client authentication that | "client_id" is only needed when a form of client authentication that | |||
| relies on the parameter is used. | relies on the parameter is used. | |||
| The following example demonstrates an Access Token Request with an | The following example demonstrates an access token request with an | |||
| assertion as an authorization grant (with extra line breaks for | Assertion as an authorization grant (with extra line breaks for | |||
| display purposes only): | display purposes only): | |||
| POST /token.oauth2 HTTP/1.1 | POST /token.oauth2 HTTP/1.1 | |||
| Host: as.example.com | Host: as.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer& | grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer& | |||
| assertion=PHNhbWxwOl...[omitted for brevity]...ZT4 | assertion=PHNhbWxwOl...[omitted for brevity]...ZT4 | |||
| 2.2. Using SAML Assertions for Client Authentication | 2.2. Using SAML Assertions for Client Authentication | |||
| skipping to change at page 5, line 46 | skipping to change at page 5, line 35 | |||
| The value of the "client_assertion_type" parameter is | The value of the "client_assertion_type" parameter is | |||
| "urn:ietf:params:oauth:client-assertion-type:saml2-bearer". | "urn:ietf:params:oauth:client-assertion-type:saml2-bearer". | |||
| The value of the "client_assertion" parameter MUST contain a single | The value of the "client_assertion" parameter MUST contain a single | |||
| SAML 2.0 Assertion. The SAML Assertion XML data MUST be encoded | SAML 2.0 Assertion. The SAML Assertion XML data MUST be encoded | |||
| using base64url, where the encoding adheres to the definition in | using base64url, where the encoding adheres to the definition in | |||
| Section 5 of RFC 4648 [RFC4648] and where the padding bits are set to | Section 5 of RFC 4648 [RFC4648] and where the padding bits are set to | |||
| zero. To avoid the need for subsequent encoding steps (by | zero. To avoid the need for subsequent encoding steps (by | |||
| "application/x-www-form-urlencoded" [W3C.REC-html401-19991224], for | "application/x-www-form-urlencoded" [W3C.REC-html401-19991224], for | |||
| example), the base64url encoded data SHOULD NOT be line wrapped and | example), the base64url-encoded data SHOULD NOT be line wrapped and | |||
| pad characters ("=") SHOULD NOT be included. | pad characters ("=") SHOULD NOT be included. | |||
| The following example demonstrates a client authenticating using an | The following example demonstrates a client authenticating using an | |||
| assertion during the presentation of an authorization code grant in | Assertion during the presentation of an authorization code grant in | |||
| an Access Token Request (with extra line breaks for display purposes | an access token request (with extra line breaks for display purposes | |||
| only): | only): | |||
| POST /token.oauth2 HTTP/1.1 | POST /token.oauth2 HTTP/1.1 | |||
| Host: as.example.com | Host: as.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| grant_type=authorization_code& | grant_type=authorization_code& | |||
| code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo& | code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& | |||
| client_assertion_type=urn%3Aietf%3Aparams%3Aoauth | client_assertion_type=urn%3Aietf%3Aparams%3Aoauth | |||
| %3Aclient-assertion-type%3Asaml2-bearer& | %3Aclient-assertion-type%3Asaml2-bearer& | |||
| client_assertion=PHNhbW...[omitted for brevity]...ZT | client_assertion=PHNhbW...[omitted for brevity]...ZT | |||
| 3. Assertion Format and Processing Requirements | 3. Assertion Format and Processing Requirements | |||
| In order to issue an access token response as described in OAuth 2.0 | In order to issue an access token response as described in OAuth 2.0 | |||
| [RFC6749] or to rely on an Assertion for client authentication, the | [RFC6749] or to rely on an Assertion for client authentication, the | |||
| authorization server MUST validate the Assertion according to the | authorization server MUST validate the Assertion according to the | |||
| criteria below. Application of additional restrictions and policy | criteria below. Application of additional restrictions and policy | |||
| skipping to change at page 6, line 33 | skipping to change at page 6, line 23 | |||
| 1. The Assertion's <Issuer> element MUST contain a unique | 1. The Assertion's <Issuer> element MUST contain a unique | |||
| identifier for the entity that issued the Assertion. In the | identifier for the entity that issued the Assertion. In the | |||
| absence of an application profile specifying otherwise, | absence of an application profile specifying otherwise, | |||
| compliant applications MUST compare Issuer values using the | compliant applications MUST compare Issuer values using the | |||
| Simple String Comparison method defined in Section 6.2.1 of RFC | Simple String Comparison method defined in Section 6.2.1 of RFC | |||
| 3986 [RFC3986]. | 3986 [RFC3986]. | |||
| 2. The Assertion MUST contain a <Conditions> element with an | 2. The Assertion MUST contain a <Conditions> element with an | |||
| <AudienceRestriction> element with an <Audience> element that | <AudienceRestriction> element with an <Audience> element that | |||
| identifies the authorization server as an intended audience. | identifies the authorization server as an intended audience. | |||
| Section 2.5.1.4 of Assertions and Protocols for the OASIS | Section 2.5.1.4 of "Assertions and Protocols for the OASIS | |||
| Security Assertion Markup Language [OASIS.saml-core-2.0-os] | Security Assertion Markup Language (SAML) V2.0" | |||
| defines the <AudienceRestriction> and <Audience> elements and, | [OASIS.saml-core-2.0-os] defines the <AudienceRestriction> and | |||
| in addition to the URI references discussed there, the token | <Audience> elements and, in addition to the URI references | |||
| endpoint URL of the authorization server MAY be used as a URI | discussed there, the token endpoint URL of the authorization | |||
| that identifies the authorization server as an intended | server MAY be used as a URI that identifies the authorization | |||
| audience. The Authorization Server MUST reject any assertion | server as an intended audience. The authorization server MUST | |||
| that does not contain its own identity as the intended audience. | reject any Assertion that does not contain its own identity as | |||
| In the absence of an application profile specifying otherwise, | the intended audience. In the absence of an application profile | |||
| compliant applications MUST compare the audience values using | specifying otherwise, compliant applications MUST compare the | |||
| the Simple String Comparison method defined in Section 6.2.1 of | Audience values using the Simple String Comparison method | |||
| RFC 3986 [RFC3986]. As noted in Section 5, the precise strings | defined in Section 6.2.1 of RFC 3986 [RFC3986]. As noted in | |||
| to be used as the audience for a given Authorization Server must | Section 5, the precise strings to be used as the Audience for a | |||
| be configured out-of-band by the Authorization Server and the | given authorization server must be configured out of band by the | |||
| Issuer of the assertion. | authorization server and the issuer of the Assertion. | |||
| 3. The Assertion MUST contain a <Subject> element identifying the | 3. The Assertion MUST contain a <Subject> element identifying the | |||
| principal that is the subject of the Assertion. Additional | principal that is the subject of the Assertion. Additional | |||
| information identifying the subject/principal MAY be included in | information identifying the subject/principal MAY be included in | |||
| an <AttributeStatement>. | an <AttributeStatement>. | |||
| A. For the authorization grant, the Subject typically | A. For the authorization grant, the Subject typically | |||
| identifies an authorized accessor for which the access token | identifies an authorized accessor for which the access token | |||
| is being requested (i.e., the resource owner or an | is being requested (i.e., the resource owner or an | |||
| authorized delegate), but in some cases, may be a | authorized delegate), but in some cases, it may be a | |||
| pseudonymous identifier or other value denoting an anonymous | pseudonymous identifier or other value denoting an anonymous | |||
| user. | user. | |||
| B. For client authentication, the Subject MUST be the | B. For client authentication, the Subject MUST be the | |||
| "client_id" of the OAuth client. | "client_id" of the OAuth client. | |||
| 4. The Assertion MUST have an expiry that limits the time window | 4. The Assertion MUST have an expiry that limits the time window | |||
| during which it can be used. The expiry can be expressed either | during which it can be used. The expiry can be expressed either | |||
| as the NotOnOrAfter attribute of the <Conditions> element or as | as the NotOnOrAfter attribute of the <Conditions> element or as | |||
| the NotOnOrAfter attribute of a suitable | the NotOnOrAfter attribute of a suitable | |||
| <SubjectConfirmationData> element. | <SubjectConfirmationData> element. | |||
| 5. The <Subject> element MUST contain at least one | 5. The <Subject> element MUST contain at least one | |||
| <SubjectConfirmation> element that has a Method attribute with a | <SubjectConfirmation> element that has a Method attribute with a | |||
| value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". If the | value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". If the | |||
| Assertion does not have a suitable NonOnOrAfter attribute on the | Assertion does not have a suitable NotOnOrAfter attribute on the | |||
| <Conditions> element, the <SubjectConfirmation> element MUST | <Conditions> element, the <SubjectConfirmation> element MUST | |||
| contain a <SubjectConfirmationData> element. When present, the | contain a <SubjectConfirmationData> element. When present, the | |||
| <SubjectConfirmationData> element MUST have a Recipient | <SubjectConfirmationData> element MUST have a Recipient | |||
| attribute with a value indicating the token endpoint URL of the | attribute with a value indicating the token endpoint URL of the | |||
| authorization server (or an acceptable alias). The | authorization server (or an acceptable alias). The | |||
| authorization server MUST verify that the value of the Recipient | authorization server MUST verify that the value of the Recipient | |||
| attribute matches the token endpoint URL (or an acceptable | attribute matches the token endpoint URL (or an acceptable | |||
| alias) to which the Assertion was delivered. The | alias) to which the Assertion was delivered. The | |||
| <SubjectConfirmationData> element MUST have a NotOnOrAfter | <SubjectConfirmationData> element MUST have a NotOnOrAfter | |||
| attribute that limits the window during which the Assertion can | attribute that limits the window during which the Assertion can | |||
| skipping to change at page 8, line 10 | skipping to change at page 7, line 49 | |||
| ensure that Bearer Assertions are not replayed, by maintaining | ensure that Bearer Assertions are not replayed, by maintaining | |||
| the set of used ID values for the length of time for which the | the set of used ID values for the length of time for which the | |||
| Assertion would be considered valid based on the applicable | Assertion would be considered valid based on the applicable | |||
| NotOnOrAfter instant. | NotOnOrAfter instant. | |||
| 7. If the Assertion issuer directly authenticated the subject, the | 7. If the Assertion issuer directly authenticated the subject, the | |||
| Assertion SHOULD contain a single <AuthnStatement> representing | Assertion SHOULD contain a single <AuthnStatement> representing | |||
| that authentication event. If the Assertion was issued with the | that authentication event. If the Assertion was issued with the | |||
| intention that the client act autonomously on behalf of the | intention that the client act autonomously on behalf of the | |||
| subject, an <AuthnStatement> SHOULD NOT be included and the | subject, an <AuthnStatement> SHOULD NOT be included and the | |||
| client presenting the assertion SHOULD be identified in the | client presenting the Assertion SHOULD be identified in the | |||
| <NameID> or similar element in the <SubjectConfirmation> | <NameID> or similar element in the <SubjectConfirmation> | |||
| element, or by other available means like SAML V2.0 Condition | element, or by other available means like "SAML V2.0 Condition | |||
| for Delegation Restriction [OASIS.saml-deleg-cs]. | for Delegation Restriction" [OASIS.saml-deleg-cs]. | |||
| 8. Other statements, in particular <AttributeStatement> elements, | 8. Other statements, in particular <AttributeStatement> elements, | |||
| MAY be included in the Assertion. | MAY be included in the Assertion. | |||
| 9. The Assertion MUST be digitally signed or have a Message | 9. The Assertion MUST be digitally signed or have a Message | |||
| Authentication Code applied by the issuer. The authorization | Authentication Code (MAC) applied by the issuer. The | |||
| server MUST reject assertions with an invalid signature or | authorization server MUST reject Assertions with an invalid | |||
| Message Authentication Code. | signature or MAC. | |||
| 10. Encrypted elements MAY appear in place of their plain text | 10. Encrypted elements MAY appear in place of their plaintext | |||
| counterparts as defined in [OASIS.saml-core-2.0-os]. | counterparts as defined in [OASIS.saml-core-2.0-os]. | |||
| 11. The authorization server MUST reject an Assertion that is not | 11. The authorization server MUST reject an Assertion that is not | |||
| valid in all other respects per [OASIS.saml-core-2.0-os], such | valid in all other respects per [OASIS.saml-core-2.0-os], such | |||
| as (but not limited to) all content within the Conditions | as (but not limited to) all content within the Conditions | |||
| element including the NotOnOrAfter and NotBefore attributes, | element including the NotOnOrAfter and NotBefore attributes, | |||
| unknown condition types, etc. | unknown condition types, etc. | |||
| 3.1. Authorization Grant Processing | 3.1. Authorization Grant Processing | |||
| Assertion authorization grants may be used with or without client | Assertion authorization grants may be used with or without client | |||
| authentication or identification. Whether or not client | authentication or identification. Whether or not client | |||
| authentication is needed in conjunction with an assertion | authentication is needed in conjunction with an Assertion | |||
| authorization grant, as well as the supported types of client | authorization grant, as well as the supported types of client | |||
| authentication, are policy decisions at the discretion of the | authentication, are policy decisions at the discretion of the | |||
| authorization server. However, if client credentials are present in | authorization server. However, if client credentials are present in | |||
| the request, the authorization server MUST validate them. | the request, the authorization server MUST validate them. | |||
| If the Assertion is not valid (including if its subject confirmation | If the Assertion is not valid (including if its subject confirmation | |||
| requirements cannot be met), the authorization server constructs an | requirements cannot be met), the authorization server constructs an | |||
| error response as defined in OAuth 2.0 [RFC6749]. The value of the | error response as defined in OAuth 2.0 [RFC6749]. The value of the | |||
| "error" parameter MUST be the "invalid_grant" error code. The | "error" parameter MUST be the "invalid_grant" error code. The | |||
| authorization server MAY include additional information regarding the | authorization server MAY include additional information regarding the | |||
| skipping to change at page 9, line 33 | skipping to change at page 9, line 22 | |||
| regarding the reasons the Assertion was considered invalid using the | regarding the reasons the Assertion was considered invalid using the | |||
| "error_description" or "error_uri" parameters. | "error_description" or "error_uri" parameters. | |||
| 4. Authorization Grant Example | 4. Authorization Grant Example | |||
| The following examples illustrate what a conforming Assertion and an | The following examples illustrate what a conforming Assertion and an | |||
| access token request would look like. | access token request would look like. | |||
| The example shows an assertion issued and signed by the SAML Identity | The example shows an assertion issued and signed by the SAML Identity | |||
| Provider identified as "https://saml-idp.example.com". The subject | Provider identified as "https://saml-idp.example.com". The subject | |||
| of the assertion is identified by email address as | of the Assertion is identified by email address as | |||
| "brian@example.com", who authenticated to the Identity Provider by | "brian@example.com", who authenticated to the Identity Provider by | |||
| means of a digital signature where the key was validated as part of | means of a digital signature where the key was validated as part of | |||
| an X.509 Public Key Infrastructure. The intended audience of the | an X.509 Public Key Infrastructure. The intended audience of the | |||
| assertion is "https://saml-sp.example.net", which is an identifier | Assertion is "https://saml-sp.example.net", which is an identifier | |||
| for a SAML Service Provider with which the authorization server | for a SAML Service Provider with which the authorization server | |||
| identifies itself. The assertion is sent as part of an access token | identifies itself. The Assertion is sent as part of an access token | |||
| request to the authorization server's token endpoint at | request to the authorization server's token endpoint at | |||
| "https://authz.example.net/token.oauth2". | "https://authz.example.net/token.oauth2". | |||
| Below is an example SAML 2.0 Assertion (whitespace formatting is for | Below is an example SAML 2.0 Assertion (whitespace formatting is for | |||
| display purposes only): | display purposes only): | |||
| <Assertion IssueInstant="2010-10-01T20:07:34.619Z" | <Assertion IssueInstant="2010-10-01T20:07:34.619Z" | |||
| ID="ef1xsbZxPV2oqjd7HTLRLIBlBb7" | ID="ef1xsbZxPV2oqjd7HTLRLIBlBb7" | |||
| Version="2.0" | Version="2.0" | |||
| xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> | xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> | |||
| skipping to change at page 11, line 25 | skipping to change at page 11, line 25 | |||
| bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU | bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU | |||
| [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- | [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- | |||
| Figure 2: Example Request | Figure 2: Example Request | |||
| 5. Interoperability Considerations | 5. Interoperability Considerations | |||
| Agreement between system entities regarding identifiers, keys, and | Agreement between system entities regarding identifiers, keys, and | |||
| endpoints is required in order to achieve interoperable deployments | endpoints is required in order to achieve interoperable deployments | |||
| of this profile. Specific items that require agreement are as | of this profile. Specific items that require agreement are as | |||
| follows: values for the issuer and audience identifiers, the location | follows: values for the Issuer and Audience identifiers, the location | |||
| of the token endpoint, the key used to apply and verify the digital | of the token endpoint, the key used to apply and verify the digital | |||
| signature over the assertion, one-time use restrictions on | signature over the Assertion, one-time use restrictions on | |||
| assertions, maximum assertion lifetime allowed, and the specific | Assertions, maximum Assertion lifetime allowed, and the specific | |||
| subject and attribute requirements of the assertion. The exchange of | Subject and attribute requirements of the Assertion. The exchange of | |||
| such information is explicitly out of scope for this specification | such information is explicitly out of scope for this specification, | |||
| and typical deployment of it will be done alongside existing SAML Web | and typical deployment of it will be done alongside existing SAML Web | |||
| SSO deployments that have already established a means of exchanging | SSO deployments that have already established a means of exchanging | |||
| such information. Metadata for the OASIS Security Assertion Markup | such information. "Metadata for the OASIS Security Assertion Markup | |||
| Language (SAML) V2.0 [OASIS.saml-metadata-2.0-os] is one common | Language (SAML) V2.0" [OASIS.saml-metadata-2.0-os] specifies one | |||
| method of exchanging SAML related information about system entities. | common method of exchanging SAML-related information about system | |||
| entities. | ||||
| The RSA-SHA256 algorithm, from [RFC6931], is a mandatory to implement | The RSA-SHA256 algorithm, from [RFC6931], is a mandatory-to-implement | |||
| XML signature algorithm for this profile. | XML signature algorithm for this profile. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| The security considerations described within the Assertion Framework | The security considerations described within the following | |||
| for OAuth 2.0 Client Authentication and Authorization Grants | specifications are all applicable to this document: "Assertion | |||
| [I-D.ietf-oauth-assertions], The OAuth 2.0 Authorization Framework | Framework for OAuth 2.0 Client Authentication and Authorization | |||
| [RFC6749], and the Security and Privacy Considerations for the OASIS | Grants" [RFC7521], "The OAuth 2.0 Authorization Framework" [RFC6749], | |||
| Security Assertion Markup Language (SAML) V2.0 | and "Security and Privacy Considerations for the OASIS Security | |||
| [OASIS.saml-sec-consider-2.0-os] specifications are all applicable to | Assertion Markup Language (SAML) V2.0" | |||
| this document. | [OASIS.saml-sec-consider-2.0-os]. | |||
| The specification does not mandate replay protection for the SAML | The specification does not mandate replay protection for the SAML | |||
| assertion usage for either the authorization grant or for client | Assertion usage for either the authorization grant or for client | |||
| authentication. It is an optional feature, which implementations may | authentication. It is an optional feature, which implementations may | |||
| employ at their own discretion. | employ at their own discretion. | |||
| 7. Privacy Considerations | 7. Privacy Considerations | |||
| A SAML Assertion may contain privacy-sensitive information and, to | A SAML Assertion may contain privacy-sensitive information and, to | |||
| prevent disclosure of such information to unintended parties, should | prevent disclosure of such information to unintended parties, should | |||
| only be transmitted over encrypted channels, such as TLS. In cases | only be transmitted over encrypted channels, such as Transport Layer | |||
| where it is desirable to prevent disclosure of certain information to | Security (TLS). In cases where it is desirable to prevent disclosure | |||
| the client, the Subject and/or individual attributes of a SAML | of certain information to the client, the Subject and/or individual | |||
| Assertion should be encrypted to the authorization server. | attributes of a SAML Assertion should be encrypted to the | |||
| authorization server. | ||||
| Deployments should determine the minimum amount of information | Deployments should determine the minimum amount of information | |||
| necessary to complete the exchange and include only that information | necessary to complete the exchange and include only that information | |||
| in an Assertion (typically by limiting what information is included | in an Assertion (typically by limiting what information is included | |||
| in an <AttributeStatement> or omitting it altogether). In some | in an <AttributeStatement> or by omitting it altogether). In some | |||
| cases, the Subject can be a value representing an anonymous or | cases, the Subject can be a value representing an anonymous or | |||
| pseudonymous user, as described in Section 6.3.1 of the Assertion | pseudonymous user, as described in Section 6.3.1 of the OAuth | |||
| Framework for OAuth 2.0 Client Authentication and Authorization | Assertion Framework [RFC7521]. | |||
| Grants [I-D.ietf-oauth-assertions]. | ||||
| 8. IANA Considerations | 8. IANA Considerations | |||
| 8.1. Sub-Namespace Registration of urn:ietf:params:oauth:grant- | 8.1. Sub-Namespace Registration of | |||
| type:saml2-bearer | urn:ietf:params:oauth:grant-type:saml2-bearer | |||
| This is a request to IANA to please register the value "grant- | This section registers the value "grant-type:saml2-bearer" in the | |||
| type:saml2-bearer" in the registry urn:ietf:params:oauth established | IANA "OAuth URI" registry established by "An IETF URN Sub-Namespace | |||
| in An IETF URN Sub-Namespace for OAuth [RFC6755]. | for OAuth" [RFC6755]. | |||
| o URN: urn:ietf:params:oauth:grant-type:saml2-bearer | o URN: urn:ietf:params:oauth:grant-type:saml2-bearer | |||
| o Common Name: SAML 2.0 Bearer Assertion Grant Type Profile for | o Common Name: SAML 2.0 Bearer Assertion Grant Type Profile for | |||
| OAuth 2.0 | OAuth 2.0 | |||
| o Change controller: IESG | o Change Controller: IESG | |||
| o Specification Document: [[this document]] | o Specification Document: RFC 7522 | |||
| 8.2. Sub-Namespace Registration of urn:ietf:params:oauth:client- | 8.2. Sub-Namespace Registration of | |||
| assertion-type:saml2-bearer | urn:ietf:params:oauth:client-assertion-type:saml2-bearer | |||
| This is a request to IANA to please register the value "client- | This section registers the value "client-assertion-type:saml2-bearer" | |||
| assertion-type:saml2-bearer" in the registry urn:ietf:params:oauth | in the IANA "OAuth URI" registry established by "An IETF URN Sub- | |||
| established in An IETF URN Sub-Namespace for OAuth [RFC6755]. | Namespace for OAuth" [RFC6755]. | |||
| o URN: urn:ietf:params:oauth:client-assertion-type:saml2-bearer | o URN: urn:ietf:params:oauth:client-assertion-type:saml2-bearer | |||
| o Common Name: SAML 2.0 Bearer Assertion Profile for OAuth 2.0 | o Common Name: SAML 2.0 Bearer Assertion Profile for OAuth 2.0 | |||
| Client Authentication | Client Authentication | |||
| o Change controller: IESG | o Change Controller: IESG | |||
| o Specification Document: [[this document]] | o Specification Document: RFC 7522 | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-oauth-assertions] | ||||
| Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | ||||
| "Assertion Framework for OAuth 2.0 Client Authentication | ||||
| and Authorization Grants", draft-ietf-oauth-assertions | ||||
| (work in progress), October 2014. | ||||
| [OASIS.saml-core-2.0-os] | [OASIS.saml-core-2.0-os] | |||
| Cantor, S., Kemp, J., Philpott, R., and E. Maler, | Cantor, S., Kemp, J., Philpott, R., and E. Maler, | |||
| "Assertions and Protocol for the OASIS Security Assertion | "Assertions and Protocols for the OASIS Security Assertion | |||
| Markup Language (SAML) V2.0", OASIS Standard saml-core- | Markup Language (SAML) V2.0", OASIS Standard | |||
| 2.0-os, March 2005, <http://docs.oasis- | saml-core-2.0-os, March 2005, <http://docs.oasis-open.org/ | |||
| open.org/security/saml/v2.0/saml-core-2.0-os.pdf>. | security/saml/v2.0/saml-core-2.0-os.pdf>. | |||
| [OASIS.saml-deleg-cs] | [OASIS.saml-deleg-cs] | |||
| Cantor, S., Ed., "SAML V2.0 Condition for Delegation | Cantor, S., Ed., "SAML V2.0 Condition for Delegation | |||
| Restriction", Nov 2009. | Restriction Version 1", Committee Specification 01, | |||
| November 2009, <http://docs.oasis-open.org/ | ||||
| security/saml/Post2.0/sstc-saml-delegation-cs-01.html>. | ||||
| [OASIS.saml-sec-consider-2.0-os] | [OASIS.saml-sec-consider-2.0-os] | |||
| Hirsch, F., Philpott, R., and E. Maler, "Security and | Hirsch, F., Philpott, R., and E. Maler, "Security and | |||
| Privacy Considerations for the OASIS Security Markup | Privacy Considerations for the OASIS Security Assertion | |||
| Language (SAML) V2.0", OASIS Standard saml-sec-consider- | Markup Language (SAML) V2.0", OASIS Standard | |||
| 2.0-os, March 2005, <http://docs.oasis- | saml-sec-consider-2.0-os, March 2005, | |||
| open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf>. | <http://docs.oasis-open.org/security/saml/v2.0/ | |||
| saml-sec-consider-2.0-os.pdf>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <http://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, RFC | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| 3986, January 2005. | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
| <http://www.rfc-editor.org/info/rfc3986>. | ||||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, October 2006. | Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | |||
| <http://www.rfc-editor.org/info/rfc4648>. | ||||
| [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
| 6749, October 2012. | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
| <http://www.rfc-editor.org/info/rfc6749>. | ||||
| [RFC6931] Eastlake, D., "Additional XML Security Uniform Resource | [RFC6931] Eastlake 3rd, D., "Additional XML Security Uniform | |||
| Identifiers (URIs)", RFC 6931, April 2013. | Resource Identifiers (URIs)", RFC 6931, | |||
| DOI 10.17487/RFC6931, April 2013, | ||||
| <http://www.rfc-editor.org/info/rfc6931>. | ||||
| [RFC7521] Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | ||||
| "Assertion Framework for OAuth 2.0 Client Authentication | ||||
| and Authorization Grants", RFC 7521, DOI 10.17487/RFC7521, | ||||
| May 2015, <http://www.rfc-editor.org/info/rfc7521>. | ||||
| 9.2. Informative References | 9.2. Informative References | |||
| [OASIS.WS-Fed] | [OASIS.WS-Fed] | |||
| Goodner, M. and T. Nadalin, "Web Services Federation | Goodner, M. and A. Nadalin, "Web Services Federation | |||
| Language (WS-Federation) Version 1.2", May 2009, | Language (WS-Federation) Version 1.2", OASIS Standard, May | |||
| <http://docs.oasis-open.org/wsfed/federation/v1.2/os/ | 2009, <http://docs.oasis-open.org/wsfed/ | |||
| ws-federation-1.2-spec-os.html>. | federation/v1.2/os/ws-federation-1.2-spec-os.html>. | |||
| [OASIS.WSS-SAMLTokenProfile] | [OASIS.WSS-SAMLTokenProfile] | |||
| Monzillo, R., Kaler, C., Nadalin, T., Hallam-Baker, P., | Monzillo, R., Kaler, C., Nadalin, T., Hallam-Baker, P., | |||
| and C. Milono, "Web Services Security SAML Token Profile | and C. Milono, "Web Services Security SAML Token Profile | |||
| Version 1.1.1", May 2012, <http://docs.oasis-open.org/wss- | Version 1.1.1", OASIS Standard, May 2012, | |||
| m/wss/v1.1.1/wss-SAMLTokenProfile-v1.1.1.html>. | <http://docs.oasis-open.org/wss-m/wss/v1.1.1/ | |||
| wss-SAMLTokenProfile-v1.1.1.html>. | ||||
| [OASIS.saml-metadata-2.0-os] | [OASIS.saml-metadata-2.0-os] | |||
| Cantor, S., Moreh, J., Philpott, R., and E. Maler, | Cantor, S., Moreh, J., Philpott, R., and E. Maler, | |||
| "Metadata for the Security Assertion Markup Language | "Metadata for the OASIS Security Assertion Markup Language | |||
| (SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March | (SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March | |||
| 2005, <http://docs.oasis-open.org/security/saml/v2.0/ | 2005, <http://docs.oasis-open.org/security/saml/v2.0/ | |||
| saml-metadata-2.0-os.pdf>. | saml-metadata-2.0-os.pdf>. | |||
| [OASIS.saml-profiles-2.0-os] | [OASIS.saml-profiles-2.0-os] | |||
| Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, | Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, | |||
| P., Philpott, R., and E. Maler, "Profiles for the OASIS | P., Philpott, R., and E. Maler, "Profiles for the OASIS | |||
| Security Assertion Markup Language (SAML) V2.0", OASIS | Security Assertion Markup Language (SAML) V2.0", OASIS | |||
| Standard OASIS.saml-profiles-2.0-os, March 2005, | Standard OASIS.saml-profiles-2.0-os, March 2005, | |||
| <http://docs.oasis-open.org/security/saml/v2.0/ | <http://docs.oasis-open.org/security/saml/v2.0/ | |||
| saml-profiles-2.0-os.pdf>. | saml-profiles-2.0-os.pdf>. | |||
| [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | |||
| for OAuth", RFC 6755, October 2012. | for OAuth", RFC 6755, DOI 10.17487/RFC6755, October 2012, | |||
| <http://www.rfc-editor.org/info/rfc6755>. | ||||
| [W3C.REC-html401-19991224] | [W3C.REC-html401-19991224] | |||
| Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01 | Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01 | |||
| Specification", World Wide Web Consortium Recommendation | Specification", World Wide Web Consortium Recommendation | |||
| REC-html401-19991224, December 1999, | REC-html401-19991224, December 1999, | |||
| <http://www.w3.org/TR/1999/REC-html401-19991224>. | <http://www.w3.org/TR/1999/REC-html401-19991224>. | |||
| Appendix A. Acknowledgements | Acknowledgements | |||
| The following people contributed wording and concepts to this | The following people contributed wording and concepts to this | |||
| document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran | document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran | |||
| Hammer, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten | Hammer, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten | |||
| Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Hannes | Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Hannes | |||
| Tschofenig, David Waite, Phil Hunt, and Mukesh Bhatnagar. | Tschofenig, David Waite, Phil Hunt, and Mukesh Bhatnagar. | |||
| Appendix B. Document History | ||||
| [[ to be removed by RFC editor before publication as an RFC ]] | ||||
| draft-ietf-oauth-saml2-bearer-23 | ||||
| o Fix typo per http://www.ietf.org/mail-archive/web/oauth/current/ | ||||
| msg13790.html | ||||
| draft-ietf-oauth-saml2-bearer-22 | ||||
| o Changes/suggestions from IESG reviews. | ||||
| draft-ietf-oauth-saml2-bearer-21 | ||||
| o Added Privacy Considerations section per AD review discussion | ||||
| http://www.ietf.org/mail-archive/web/oauth/current/msg13148.html | ||||
| and http://www.ietf.org/mail-archive/web/oauth/current/ | ||||
| msg13144.html | ||||
| draft-ietf-oauth-saml2-bearer-20 | ||||
| o Clarified some text around the treatment of subject based on the | ||||
| rough rough consensus from the thread staring at | ||||
| http://www.ietf.org/mail-archive/web/oauth/current/msg12630.html | ||||
| draft-ietf-oauth-saml2-bearer-19 | ||||
| o Updated references. | ||||
| draft-ietf-oauth-saml2-bearer-18 | ||||
| o Clean up language around subject per http://www.ietf.org/mail- | ||||
| archive/web/oauth/current/msg12254.html. | ||||
| o As suggested in http://www.ietf.org/mail- | ||||
| archive/web/oauth/current/msg12253.html stated that "In the | ||||
| absence of an application profile specifying otherwise, compliant | ||||
| applications MUST compare the audience/issuer values using the | ||||
| Simple String Comparison method defined in Section 6.2.1 of RFC | ||||
| 3986." | ||||
| o Clarify the potentially confusing language about the AS confirming | ||||
| the assertion http://www.ietf.org/mail-archive/web/oauth/current/ | ||||
| msg12255.html. | ||||
| o Combine the two items about AuthnStatement and drop the word | ||||
| presenter as discussed in http://www.ietf.org/mail- | ||||
| archive/web/oauth/current/msg12257.html. | ||||
| o Added one-time use, maximum lifetime, and specific subject and | ||||
| attribute requirements to Interoperability Considerations based on | ||||
| http://www.ietf.org/mail-archive/web/oauth/current/msg12252.html. | ||||
| o Reword security considerations and mention that replay protection | ||||
| is not mandated based on http://www.ietf.org/mail- | ||||
| archive/web/oauth/current/msg12259.html. | ||||
| draft-ietf-oauth-saml2-bearer-17 | ||||
| o Stated that issuer and audience values SHOULD be compared using | ||||
| the Simple String Comparison method defined in Section 6.2.1 of | ||||
| RFC 3986 unless otherwise specified by the application. | ||||
| draft-ietf-oauth-saml2-bearer-16 | ||||
| o Changed title from "SAML 2.0 Bearer Assertion Profiles for OAuth | ||||
| 2.0" to "SAML 2.0 Profile for OAuth 2.0 Client Authentication and | ||||
| Authorization Grants" to be more explicit about the scope of the | ||||
| document per http://www.ietf.org/mail-archive/web/oauth/current/ | ||||
| msg11063.html. | ||||
| o Fixed typo in text identifying the presenter from "or similar | ||||
| element, the" to "or similar element in the". | ||||
| o Numbered the list of processing rules. | ||||
| o Smallish editorial cleanups to try and improve readability and | ||||
| comprehensibility. | ||||
| o Cleaner split out of the processing rules in cases where they | ||||
| differ for client authentication and authorization grants. | ||||
| o Clarified the parameters that are used/available for authorization | ||||
| grants. | ||||
| o Added Interoperability Considerations section and info reference | ||||
| to SAML Metadata. | ||||
| o Added more explanatory context to the example in Section 4. | ||||
| draft-ietf-oauth-saml2-bearer-15 | ||||
| o Reference RFC 6749 and RFC 6755. | ||||
| o Update draft-ietf-oauth-assertions reference to -06. | ||||
| o Remove extraneous word per http://www.ietf.org/mail- | ||||
| archive/web/oauth/current/msg10055.html | ||||
| draft-ietf-oauth-saml2-bearer-14 | ||||
| o Add more text to intro explaining that an assertion grant type can | ||||
| be used with or without client authentication/identification and | ||||
| that client assertion authentication is nothing more than an | ||||
| alternative way for a client to authenticate to the token endpoint | ||||
| o Add examples to Sections 2.1 and 2.2 | ||||
| o Update references | ||||
| draft-ietf-oauth-saml2-bearer-13 | ||||
| o Update references: oauth-assertions-04, oauth-urn-sub-ns-05, oauth | ||||
| -28 | ||||
| o Changed "Description" to "Specification Document" in both | ||||
| registration requests in IANA Considerations per changes to the | ||||
| template in ietf-oauth-urn-sub-ns(-03) | ||||
| o Added "(or an acceptable alias)" so that it's in both sentences | ||||
| about Recipient and the token endpoint URL so there's no ambiguity | ||||
| o Update area and workgroup (now Security and OAuth was Internet and | ||||
| nothing) | ||||
| draft-ietf-oauth-saml2-bearer-12 | ||||
| o updated reference to draft-ietf-oauth-v2 from -25 to -26 and | ||||
| draft-ietf-oauth-assertions from -02 to -03 | ||||
| draft-ietf-oauth-saml2-bearer-11 | ||||
| o Removed text about limited lifetime access tokens and the SHOULD | ||||
| NOT on issuing refresh tokens. The text was moved to draft-ietf- | ||||
| oauth-assertions-02 and somewhat modified per http://www.ietf.org/ | ||||
| mail-archive/web/oauth/current/msg08298.html. | ||||
| o Fixed typo/missing word per http://www.ietf.org/mail- | ||||
| archive/web/oauth/current/msg08733.html. | ||||
| o Added Terminology section. | ||||
| o fix a spelling mistake | ||||
| draft-ietf-oauth-saml2-bearer-09 | ||||
| o Attempt to address an ambiguity around validation requirements | ||||
| when the Conditions element contain a NotOnOrAfter and | ||||
| SubjectConfirmation/SubjectConfirmationData does too. Basically | ||||
| it needs to have at least one bearer SubjectConfirmation element | ||||
| but that element can omit SubjectConfirmationData, if Conditions | ||||
| has an expiry on it. Otherwise, a valid SubjectConfirmation must | ||||
| have a SubjectConfirmationData with Recipient and NotOnOrAfter. | ||||
| And any SubjectConfirmationData that has those elements needs to | ||||
| have them checked. | ||||
| o clarified that AudienceRestriction is under Conditions (even | ||||
| though it's implied by schema) | ||||
| o fix a typo | ||||
| draft-ietf-oauth-saml2-bearer-08 | ||||
| o fix some typos | ||||
| draft-ietf-oauth-saml2-bearer-07 | ||||
| o update reference from draft-campbell-oauth-urn-sub-ns to draft- | ||||
| ietf-oauth-urn-sub-ns | ||||
| o Updated to reference draft-ietf-oauth-v2-20 | ||||
| draft-ietf-oauth-saml2-bearer-06 | ||||
| o Fix three typos NamseID->NameID and (2x) Namspace->Namespace | ||||
| draft-ietf-oauth-saml2-bearer-05 | ||||
| o Allow for subject confirmation data to be optional when Conditions | ||||
| contain audience and NotOnOrAfter | ||||
| o Rework most of the spec to profile draft-ietf-oauth-assertions for | ||||
| both authn and authz including (but not limited to): | ||||
| * remove requirement for issuer to be | ||||
| urn:oasis:names:tc:SAML:2.0:nameid-format:entity | ||||
| * change wording on Subject requirements | ||||
| o using a MAY, explicitly say that the Audience can be token | ||||
| endpoint URL of the authorization server | ||||
| o Change title to be more generic (allowing for client authn too) | ||||
| o added client authentication to the abstract | ||||
| o register and use urn:ietf:params:oauth:grant-type:saml2-bearer for | ||||
| grant type rather than http://oauth.net/grant_type/saml/2.0/bearer | ||||
| o register urn:ietf:params:oauth:client-assertion-type:saml2-bearer | ||||
| o remove scope parameter as it is defined in | ||||
| http://tools.ietf.org/html/draft-ietf-oauth-assertions | ||||
| o remove assertion param registration because it [should] be in | ||||
| http://tools.ietf.org/html/draft-ietf-oauth-assertions | ||||
| o fix typo(s) and update/add references | ||||
| draft-ietf-oauth-saml2-bearer-04 | ||||
| o Changed the grant_type URI from | ||||
| "http://oauth.net/grant_type/assertion/saml/2.0/bearer" to | ||||
| "http://oauth.net/grant_type/saml/2.0/bearer" - dropping the word | ||||
| assertion from the path. Recent versions of draft-ietf-oauth-v2 | ||||
| no longer refer to extension grants using the word assertion so | ||||
| this URI is more reflective of that. It also more closely aligns | ||||
| with the grant type URI in draft-jones-oauth-jwt-bearer-00 which | ||||
| is "http://oauth.net/grant_type/jwt/1.0/bearer". | ||||
| o Added "case sensitive" to scope definition to align with draft- | ||||
| ietf-oauth-v2-15/16. | ||||
| o Updated to reference draft-ietf-oauth-v2-16 | ||||
| draft-ietf-oauth-saml2-bearer-03 | ||||
| o Cleanup of some editorial issues. | ||||
| draft-ietf-oauth-saml2-bearer-02 | ||||
| o Added scope parameter with text copied from draft-ietf-oauth-v2-12 | ||||
| (the reorg of draft-ietf-oauth-v2-12 made it so scope wasn't | ||||
| really inherited by this spec anymore) | ||||
| o Change definition of the assertion parameter to be more generally | ||||
| applicable per the suggestion near the end of http://www.ietf.org/ | ||||
| mail-archive/web/oauth/current/msg05253.html | ||||
| o Editorial changes based on feedback | ||||
| draft-ietf-oauth-saml2-bearer-01 | ||||
| o Update spec name when referencing draft-ietf-oauth-v2 (The OAuth | ||||
| 2.0 Protocol Framework -> The OAuth 2.0 Authorization Protocol) | ||||
| o Update wording in Introduction to talk about extension grant types | ||||
| rather than the assertion grant type which is a term no longer | ||||
| used in OAuth 2.0 | ||||
| o Updated to reference draft-ietf-oauth-v2-12 and denote as work in | ||||
| progress | ||||
| o Update Parameter Registration Request to use similar terms as | ||||
| draft-ietf-oauth-v2-12 and remove Related information part | ||||
| o Add some text giving discretion to AS on rejecting assertions with | ||||
| unreasonably long validity window. | ||||
| draft-ietf-oauth-saml2-bearer-00 | ||||
| o Added Parameter Registration Request for "assertion" to IANA | ||||
| Considerations. | ||||
| o Changed document name to draft-ietf-oauth-saml2-bearer in | ||||
| anticipation of becoming an OAUTH WG item. | ||||
| o Attempt to move the entire definition of the 'assertion' parameter | ||||
| into this draft (it will no longer be defined in OAuth 2 Protocol | ||||
| Framework). | ||||
| draft-campbell-oauth-saml-01 | ||||
| o Updated to reference draft-ietf-oauth-v2-11 and reflect changes | ||||
| from -10 to -11. | ||||
| o Updated examples. | ||||
| o Relaxed processing rules to allow for more than one | ||||
| SubjectConfirmation element. | ||||
| o Removed the 'MUST NOT contain a NotBefore attribute' on | ||||
| SubjectConfirmationData. | ||||
| o Relaxed wording that ties the subject of the Assertion to the | ||||
| resource owner. | ||||
| o Added some wording about identifying the client when the subject | ||||
| hasn't directly authenticated including an informative reference | ||||
| to SAML V2.0 Condition for Delegation Restriction. | ||||
| o Added a few examples to the language about verifying that the | ||||
| Assertion is valid in all other respects. | ||||
| o Added some wording to the introduction about the similarities to | ||||
| Web SSO in the format and processing rules | ||||
| o Changed the grant_type (was assertion_type) URI from | ||||
| http://oauth.net/assertion_type/saml/2.0/bearer to | ||||
| http://oauth.net/grant_type/assertion/saml/2.0/bearer | ||||
| o Changed title to include "Grant Type" in it. | ||||
| o Editorial updates based on feedback from the WG and others | ||||
| (including capitalization of Assertion when referring to SAML). | ||||
| draft-campbell-oauth-saml-00 | ||||
| o Initial I-D | ||||
| Authors' Addresses | Authors' Addresses | |||
| Brian Campbell | Brian Campbell | |||
| Ping Identity | Ping Identity | |||
| Email: brian.d.campbell@gmail.com | EMail: brian.d.campbell@gmail.com | |||
| Chuck Mortimore | Chuck Mortimore | |||
| Salesforce.com | Salesforce.com | |||
| Email: cmortimore@salesforce.com | EMail: cmortimore@salesforce.com | |||
| Michael B. Jones | Michael B. Jones | |||
| Microsoft | Microsoft | |||
| Email: mbj@microsoft.com | EMail: mbj@microsoft.com | |||
| URI: http://self-issued.info/ | URI: http://self-issued.info/ | |||
| End of changes. 73 change blocks. | ||||
| 497 lines changed or deleted | 186 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||