Josh, the meeting was very confused about how aaa-saml interacts with
the requirement from 2865 to have an authentication attribute in
access-request.
Where does that come up for this draft?
Dear all,
during last IETF meeting I had no chance to properly explain the issue
with the ietf-abfab-aaa-saml and RFC 2865 due to some remote audio
problems, thus I was requested to do it on the list. Let me complete
Sam's question with further information.
This issue is related with the one we had with our RADIUS fragmentation
draft, and debated in RADEXT. However, I think that it may require a
different solution than the one took for our draft, as they happen at
different levels.
RFC 2865 specifies that:
An Access-Request MUST contain either a User-Password or a CHAP-
Password or a State. An Access-Request MUST NOT contain both a
User-Password and a CHAP-Password. If future extensions allow other
kinds of authentication information to be conveyed, the attribute
for that can be used in an Access-Request instead of User-Password
or CHAP-Password.
This implies that an Access-Request packet will be invalid if it does
not contain any authentication attribute.
In section 7.3.2., ietf-abfab-aaa-saml defines how the RP uses a RADIUS
Access-Request message to communicate with the IdP, prior the EU
authentication, and provide the <samlp:AuthnRequest>. In section 8.3.2,
the contents of this Access-Request message are described as:
* MUST use User-Name (not authentication attribute)
* MUST include Service-Type = Authorize-Only (Not authentication
attribute)
* SHOULD include RADIUS State (authentication attribute, but not
available when sent before the principal is authenticated; i.e.
before EAP).
Therefore, this message may not contain any authentication attribute,
and therefore in those cases might be considered as invalid by entities
following RFC 2865 to the letter.
However, as RFC 2865 leaves the door open for new attributes to be
considered as authentication, we think that a feasible solution for this
issue would be declaring SAML-Message and/or the SAML-Assertion
attributes as authentication attributes. We think this would make sense
as as they might affect how the subsequent authentication process will
be performed.
Regards,
Alejandro
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
