Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Published byHugh Cooper Modified over 9 years ago

Similar presentations

Presentation on theme: "Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82."— Presentation transcript:

1 draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82

2 SAML RADIUS binding & SAML RADIUS attribute Abfab Authentication Profile & Abfab Assertion Request Profile In SAML, bindings typically use HTTP or SOAP transport. ABFAB is defining a RADIUS binding.

3 SAML RADIUS Attribute 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | SAML Message... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

4 SAML RADIUS Binding SAML requester is RADIUS client / RP SAML responder is RADIUS server / IdP SAML protocol message is encapsulated within (and fragmented across multiple instances of) the SAML RADIUS attribute NAI is used to route RADIUS messages from the SAML requester towards the SAML responder Attribute is currently defined independently of the Binding, to facilitate use in other contexts – is that actually useful, or a complication?

5 Abfab Authentication Profile A profile of the SAML Authentication Request Protocol that uses the SAML RADIUS binding

6 Abfab Assertion Request Profile TODO Intend to specify a profile of SAML “Assertion Query and Request Protocol” using the SAML RADIUS binding Requirements – Request assertion from authentication IdP, after authentication – Request assertions from other attribute sources

7 Issue: document name Name includes “aaa”, but only discusses RADIUS Currently named “A RADIUS Attribute, Binding and Profiles for SAML” Sufficient?

8 Issue: signatures Use of SAML signatures – Profile (but not binding) currently prohibits use of SAML signatures Encourage use of transport integrity protection, reducing deployment complexity Reduce size of SAML messages – Limited support – Proposal: require NASes to default NOT to check signatures; and indicate that signatures are not required

9 Issue: SAML payload size RADIUS message MTU of 4kb, but SAML messages can be arbitrarily large – Option 1: Do nothing – Option 2: If >4kb, advise deployments to use Diameter – Option 3: Use a SAML SOAP-based transaction to request attributes or resolve an artifact – Option 4: Develop a RADIUS-based mechanism to fragment large payloads over multiple RADIUS messages

10 Todo Fix various nits Define attribute request profile

Download ppt "Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82."

Similar presentations

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
OTP-ValidationService: Summary, Status, and Next Steps OTPS Workshop, February 2006.

OTP-ValidationService: Summary, Status, and Next Steps OTPS Workshop, February 2006.
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
SOAP & Security IEEE Computer Society Utah Chapter Hilarie Orman - Purple Streak Development Tolga Acar - Novell, Inc. October 24, 2002.

SOAP & Security IEEE Computer Society Utah Chapter Hilarie Orman - Purple Streak Development Tolga Acar - Novell, Inc. October 24, 2002.
SOAP.

SOAP.
SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
ABFAB Architecture Jim Schaad August Cellars. Previous Updates -01 – Resolved a number of review comments in the tracker -02 – Expanded Section 2 – Architecture.

ABFAB Architecture Jim Schaad August Cellars. Previous Updates -01 – Resolved a number of review comments in the tracker -02 – Expanded Section 2 – Architecture.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou www.netmode.ntua.gr 9/06/2009.

ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou 9/06/2009.
Middleware for P2P architecture Jikai Yin, Shuai Zhang, Ziwen Zhang.

Middleware for P2P architecture Jikai Yin, Shuai Zhang, Ziwen Zhang.
ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman

Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Similar presentations

Ads by Google