Let me add an additional comment: I wonder about the requirement of not signing the SAML assertion. Maybe it requires a more detailed analysis. First, if the SAML assertion is generated by a legacy idP then it should discriminate between requesters (the RADIUS server in this case) and to decide not to sign the assertion issued for this entity. It could be ok, but I think should be explicitly described in the text. Other option is to allow the RADIUS server cuts short the assertion and to remove the XML signature, but I don't like this. Second, you have to take into account that the SAML assertion will be for a one-time use and it could not be managed/validated by a third party. Let's think in a scenario where the received assertion is used later on to request other end user attributes and the original SAML assertion should be first validated in order to check validity.
Best regards, Gabi. El 03/11/11 13:29, Alejandro Perez Mendez escribió: > Hi Josh, > > I have some few comments regarding version -02 of the aaa-saml draft. > Mostly typos. > > 0. Abstract > > * "...RADIUS attribute, binding and two..:" -> "RADIUS attribute, a > binding and two..." > > > 1. Introduction > > * In the 3er paragraph it is mentioned Diameter, while it is not > mentioned again in the rest of the document. Indeed, it is a > RADIUS-specific document. > > 3. RADIUS SAML-Message Attribute > > * Length should be >=3, not >=4, since it is stated in the text that > Message field can have one or more octets (see description of > User-Name attribute in RFC 2865 for a similar attribute). > * I have a question related with the RADIUS maximum packet size. RFC > 2865 states that the maximum size is 4096 bytes. That means that if > an SAML Assertion would be bigger than 4K, it would be impossible to > transport it in a single RADIUS message. Even without signatures, a > SAML Assertion containing attributes may exceed this size if the > attributes contains data enough. Have you thought about any > mechanism to lead with this kind of situations, for example the use > of a Hash&URL or similar? > > 5.3.2 > > * "The Relying Party, on receiving the EAP-Response/Identity message > from the User Agent, MUST send it towards the Identity Provider > using the SAML RADIUS binding" -> Did you mean RADIUS EAP, or is > SAML RADIUS binding intended to transport EAP messages? > > 5.4.1 > > * "If the Relying Provider wishes to..." -> "If the Relying Party > wishes to..." > > 5.4.2 > > * "Provider is NOT obligated to honor the requested set of in the > <samlp:AuthnRequest>, if any." -> Something missing between "set of" > and "in the". > > 5.4.3 > > * "Verify that the InResponseTo attribute in the bearer > <saml:SubjectConfirmationData>" -> Shouldm't it be "sender-vouches" > instead of "bearer"? > > Regards, > Alejandro > > >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. This draft is a work item of the Application Bridging >> for Federated Access Beyond web Working Group of the IETF. >> >> Title : A RADIUS Attribute, Binding and Profiles for SAML >> Author(s) : Josh Howlett >> Sam Hartman >> Filename : draft-ietf-abfab-aaa-saml-02.txt >> Pages : 14 >> Date : 2011-10-31 >> >> This document specifies a RADIUS attribute, binding and two profiles >> for the Security Assertion Mark-up Language (SAML). The attribute >> provides RADIUS encapsulation of SAML protocol messages, while the >> binding describes the transport of this attribute, and the SAML >> protocol messages within, using RADIUS. The profiles describe the >> application of this binding for Abfab authentication and assertion >> query/request. The SAML RADIUS attribute and binding are defined >> generically to permit application in other scenarios, such as >> network >> access. >> >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-abfab-aaa-saml-02.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> This Internet-Draft can be retrieved at: >> ftp://ftp.ietf.org/internet-drafts/draft-ietf-abfab-aaa-saml-02.txt >> _______________________________________________ >> abfab mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/abfab > > > > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab -- ---------------------------------------------------------------- Gabriel L?pez Mill?n Departamento de Ingenier?a de la Informaci?n y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: [email protected]
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
