idnits 2.17.00 (12 Aug 2021)

/tmp/idnits17086/draft-guenther-geopriv-saml-policy-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 14.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 547.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 524.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 531.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 537.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == The document doesn't use any RFC 2119 keywords, yet seems to have RFC
     2119 boilerplate text.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (July 13, 2005) is 6155 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Possible downref: Non-RFC (?) normative reference: ref.
     'SAMLAuthnContext'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'SAMLCore'

  == Outdated reference: draft-ietf-geopriv-common-policy has been published
     as RFC 4745


     Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 9 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Geopriv                                                      C. Guenther
3	Internet-Draft                                                   Siemens
4	Expires: January 14, 2006                                  July 13, 2005

6	                     SAML in Authorization Policies
7	               draft-guenther-geopriv-saml-policy-01.txt

9	Status of this Memo

11	   By submitting this Internet-Draft, each author represents that any
12	   applicable patent or other IPR claims of which he or she is aware
13	   have been or will be disclosed, and any of which he or she becomes
14	   aware will be disclosed, in accordance with Section 6 of BCP 79.

16	   Internet-Drafts are working documents of the Internet Engineering
17	   Task Force (IETF), its areas, and its working groups.  Note that
18	   other groups may also distribute working documents as Internet-
19	   Drafts.

21	   Internet-Drafts are draft documents valid for a maximum of six months
22	   and may be updated, replaced, or obsoleted by other documents at any
23	   time.  It is inappropriate to use Internet-Drafts as reference
24	   material or to cite them other than as "work in progress."

26	   The list of current Internet-Drafts can be accessed at
27	   http://www.ietf.org/ietf/1id-abstracts.txt.

29	   The list of Internet-Draft Shadow Directories can be accessed at
30	   http://www.ietf.org/shadow.html.

32	   This Internet-Draft will expire on January 14, 2006.

34	Copyright Notice

36	   Copyright (C) The Internet Society (2005).

38	Abstract

40	   Rules of an authorization policy prescribe under which conditions an
41	   entity or subject has which permissions.  Existing policies support
42	   identity-based authorization by matching the authenticated identity
43	   of the entity requesting access to a resource with the available
44	   policies.  This document is about formulating policy rules that
45	   express conditions with respect to SAML assertions, thereby
46	   supporting non-identity-based authorization and anonymity.

48	Table of Contents

50	   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
51	   2.   Terminology  . . . . . . . . . . . . . . . . . . . . . . . .   4
52	   3.   Basic Scenario . . . . . . . . . . . . . . . . . . . . . . .   5
53	   4.   SAML Condition Example . . . . . . . . . . . . . . . . . . .   6
54	   5.   SAML Condition Schema  . . . . . . . . . . . . . . . . . . .   9
55	   6.   Common Policy Schema . . . . . . . . . . . . . . . . . . . .  11
56	   7.   Security Considerations  . . . . . . . . . . . . . . . . . .  15
57	   8.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .  16
58	   9.   Open Issues  . . . . . . . . . . . . . . . . . . . . . . . .  17
59	   10.  References . . . . . . . . . . . . . . . . . . . . . . . . .  18
60	     10.1   Normative References . . . . . . . . . . . . . . . . . .  18
61	     10.2   Informative References . . . . . . . . . . . . . . . . .  18
62	        Author's Address . . . . . . . . . . . . . . . . . . . . . .  18
63	        Intellectual Property and Copyright Statements . . . . . . .  19

65	1.  Introduction

67	   The Security Assertion Markup Language, see [SAMLCore], is an XML
68	   sublanguage for exchanging security information.  It is suitable for
69	   expressing assertions concerning previously performed authentication
70	   procedures and authorization decisions.  For example, a SAML
71	   assertion can be used by the assertion issuer to assure that the
72	   assertion subject (e.g., a person, a network entity, ...) has been
73	   authenticated by means of a specific authentication method.  A
74	   recipient of such an assertion - if it has trust in the assertion
75	   issuer and the integrity of the assertion - can then base its
76	   authorization decisions on this assertion.

78	   This document is about defining an extension to the Common Policy
79	   markup language, see [I-D.ietf-geopriv-common-policy], that allows to
80	   express conditions with respect to statements contained in SAML
81	   assertions.  It shall be possible to express authorization policy
82	   rules of the following fashion: If the SAML assertion has been issued
83	   by the assertion issuer A and if the assertion assures that the
84	   assertion subject S has been authenticated by means of the
85	   authenticated method M, then S is permitted to ... .

87	2.  Terminology

89	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
90	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
91	   document are to be interpreted as described in [RFC2119].

93	3.  Basic Scenario

95	   Figure 1 depicts a basic scenario in the scope of this document: a
96	   Subject S wishes to have access to a certain resource (e.g., location
97	   information of a particular entity).  After a successful
98	   authentication protocol execution between S and the Asserting Party
99	   (AP), see step 1, the AP issues a SAML assertion (step 2), which
100	   asserts that S has been authenticated by AP using method M and is
101	   associated with a certain set of attributes.

103	       +-------------+ 1: Authentication +------------+
104	       |             |<----------------->| Asserting  |
105	       | Subject (S) |                   |  Party     |
106	       |             |<------------------|   (AP)     |
107	       +-------------+ 2: SAML Assertion +------------+
108	              |
109	              |
110	            3:| Service Request
111	              | + Assertion
112	              v
113	       +-------------+                   +------------+
114	       |   Relying   |    4: Policy      |   Policy   |
115	       |    Party    |<------------------|   Server   |
116	       |    (RP)     |                   |    (PS)    |
117	       +-------------+                   +------------+

119	                         Figure 1: Basic Scenario

121	   After receipt of the assertion, the Relying Party (RP) can base its
122	   resource access authorization decision on this assertion.  The
123	   authorization policy governing access to the requested resource is
124	   stored at the Policy Server (PS).  Thanks to the language elements
125	   introduced in this document, this policy can contain rules whose
126	   conditions parts express properties that the SAML assertion must meet
127	   in order to make the rule match.

129	4.  SAML Condition Example

131	   Each policy rule of the Common Policy markup language [I-D.ietf-
132	   geopriv-common-policy] consists of a <conditions>, an <actions> and a
133	   <transformations> element (all of which are optional elements).  The
134	   Common Policy XML schema defines the <conditions> element in such a
135	   way that it allows for any child elements that belong to XML
136	   namespaces different from the common policy namespace.

138	   This document defines a new XML element, namely, the <samlcondition>
139	   element, whose purpose is to be used as such a child element of the
140	   common policy <conditions> element.  This paragraph provides an
141	   example of an XML document valid with respect to the SAML Condition
142	   schema (as shown in Section 5) and the Common Policy schema (as
143	   listed in Section 6).

145	   <?xml version="1.0" encoding="UTF-8"?>
146	   <ruleset
147	     xmlns="urn:ietf:params:xml:ns:common-policy"
148	     xmlns:samlcond="urn:ietf:params:xml:ns:saml-condition"
149	     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
150	     xsi:schemaLocation=
151	     "urn:ietf:params:xml:ns:common-policy common-policy.xsd
152	      urn:ietf:params:xml:ns:saml-condition saml-condition.xsd">

154	     <rule id="Hz90op54I">

156	       <conditions>

158	         <validity>
159	           <from>2005-08-02T17:00:00-05:00</from>
160	           <to>2005-08-04T19:00:00-05:00</to>
161	         </validity>

163	         <samlcond:samlcondition>

165	           <samlcond:issuer>idp.com</samlcond:issuer>

167	           <samlcond:subject>
168	             <samlcond:nameid>bob@example.com</samlcond:nameid>
169	           </samlcond:subject>

171	           <samlcond:authnstatement>

173	             <samlcond:authncontext>
174	               <samlcond:authncontextclassref>
175	     urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
176	               </samlcond:authncontextclassref>
177	             </samlcond:authncontext>

179	             <samlcond:authncontext>
180	               <samlcond:authncontextclassref>
181	     urn:oasis:names:tc:SAML:2.0:ac:classes:X509
182	               </samlcond:authncontextclassref>
183	             </samlcond:authncontext>

185	           </samlcond:authnstatement>

187	         </samlcond:samlcondition>

189	       </conditions>

191	       <actions></actions>

193	     </rule>

195	   </ruleset>

197	   The rule set in this example consists of one rule only.  The
198	   <conditions> part of the rule consists of a <validity> condition
199	   (defined by the Common Policy schema) and a <samlcondition> (defined
200	   by this document in Section 5).  The <validity> element specifies the
201	   time period during which the rule is applicable.  The <samlcondition>
202	   element as shown above evaluates to true if and only if the SAML
203	   assertion presented to the Relying Party satisfies the following
204	   properties:

206	   1) The issuer of the SAML assertion is idp.com.

208	   2) The subject of the SAML assertion is bob@example.com.

210	   3) The authentication context class referenced in the SAML assertion
211	      is PasswordProtectedTransport (i.e., the subject of the assertion
212	      has authenticated to the Asserting Party through the presentation
213	      of a password over a protected session) or X509 (i.e., the subject
214	      of the assertion has authenticated to the Asserting Party by means
215	      of a digital signature where the key was validated as part of a
216	      X.509 public key infrastructure).

218	   To be more precisely, the SAML assertion presented to the Relying
219	   Party has to satisfy the following properties to make the
220	   <samlcondition> element evaluate to true:

222	   1) The content of the <saml:Issuer> element of the SAML assertion
223	      must equal the string "idp.com".

225	   2) The SAML assertion must contain a <saml:Subject> child element
226	      (which is optional by the SAML assertion schema), and this <saml:
227	      Subject> element must contain a <saml:NameID> element whose
228	      content equals the string "bob@example.com".

230	   3) The SAML assertion must contain an <saml:AuthnStatement> element
231	      with an <saml:AuthnContext> child element that possesses an <saml:
232	      AuthnContextClassRef> child element whose content is either
233	      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
234	      or urn:oasis:names:tc:SAML:2.0:ac:classes:X509.

236	   The complete list of Authentication Context types defined by SAML can
237	   be found in [SAMLAuthnContext].

239	5.  SAML Condition Schema

241	   <?xml version="1.0" encoding="UTF-8"?>
242	   <xs:schema
243	     targetNamespace="urn:ietf:params:xml:ns:saml-condition"
244	     xmlns:samlcond="urn:ietf:params:xml:ns:saml-condition"
245	     xmlns:cp="urn:ietf:params:xml:ns:common-policy"
246	     xmlns:xs="http://www.w3.org/2001/XMLSchema"
247	     elementFormDefault="qualified"
248	     attributeFormDefault="unqualified">

250	     <xs:import namespace="urn:ietf:params:xml:ns:common-policy"
251	       schemaLocation="common-policy.xsd"/>

253	     <!-- Definition of element types for saml conditions -->
254	     <!-- Element names correspond to SAML element names  -->

256	     <xs:element name="issuer" type="xs:string"/>

258	     <xs:element name="subject">
259	       <xs:complexType>
260	         <xs:sequence>
261	           <xs:element name="nameid" type="xs:string"/>
262	         </xs:sequence>
263	       </xs:complexType>
264	     </xs:element>

266	     <xs:element name="authnstatement">
267	       <xs:complexType>
268	         <xs:sequence>
269	           <xs:element ref="samlcond:authncontext"
270	             maxOccurs="unbounded"/>
271	         </xs:sequence>
272	       </xs:complexType>
273	     </xs:element>

275	     <xs:element name="authncontext">
276	       <xs:complexType>
277	         <xs:sequence>
278	           <xs:element ref="samlcond:authncontextclassref"/>
279	         </xs:sequence>
280	       </xs:complexType>
281	     </xs:element>

283	     <xs:element name="authncontextclassref" type="xs:anyURI"/>

285	     <!-- Definition of saml conditions -->
286	     <xs:element name="samlcondition">
287	       <xs:complexType>
288	         <xs:sequence>

290	           <xs:element ref="samlcond:issuer"
291	             minOccurs="0" maxOccurs="unbounded"/>

293	           <xs:element ref="samlcond:subject"
294	             minOccurs="0" maxOccurs="unbounded"/>

296	           <xs:element ref="samlcond:authnstatement"
297	             minOccurs="0" maxOccurs="unbounded"/>

299	         </xs:sequence>
300	       </xs:complexType>
301	     </xs:element>

303	   </xs:schema>

305	6.  Common Policy Schema

307	   Just for the sake of completeness, this section contains that version
308	   of the Common Policy XML schema that defines - along with the schema
309	   specified in Section 5 - the XML language to which the example in
310	   Section 4 belongs.

312	   <?xml version="1.0" encoding="UTF-8"?>
313	   <xs:schema
314	     targetNamespace="urn:ietf:params:xml:ns:common-policy"
315	     xmlns:cp="urn:ietf:params:xml:ns:common-policy"
316	     xmlns:xs="http://www.w3.org/2001/XMLSchema"
317	     elementFormDefault="qualified"
318	     attributeFormDefault="unqualified">

320	     <!-- Rule Set -->

322	     <xs:element name="ruleset">
323	       <xs:complexType>
324	         <xs:sequence>
325	           <xs:element name="rule" type="cp:ruleType"
326	             minOccurs="0" maxOccurs="unbounded"/>
327	         </xs:sequence>
328	       </xs:complexType>
329	     </xs:element>

331	     <!-- Rule -->

333	     <xs:complexType name="ruleType">

335	       <xs:sequence>

337	         <!-- Conditions -->

339	         <xs:element name="conditions" minOccurs="0">
340	           <xs:complexType>
341	             <xs:sequence>

343	               <xs:element name="validity" minOccurs="0">
344	                 <xs:complexType>
345	                   <xs:all>
346	                     <xs:element name="from" type="xs:dateTime"/>
347	                     <xs:element name="to" type="xs:dateTime"/>
348	                   </xs:all>
349	                 </xs:complexType>
350	               </xs:element>
351	               <xs:element name="identity" minOccurs="0">
352	                 <xs:complexType>
353	                   <xs:choice>

355	                     <xs:element name="id" maxOccurs="unbounded">
356	                       <xs:complexType>
357	                         <xs:attribute name="val"
358	                           type="xs:string" use="required"/>
359	                       </xs:complexType>
360	                     </xs:element>

362	                     <xs:sequence>
363	                       <xs:element name="domain" type="xs:string"/>
364	                       <xs:element name="except"
365	                         minOccurs="0" maxOccurs="unbounded">
366	                         <xs:complexType>
367	                           <xs:attribute name="val"
368	                             type="xs:string" use="required"/>
369	                         </xs:complexType>
370	                       </xs:element>
371	                     </xs:sequence>

373	                     <xs:element name="anonymous">
374	                       <xs:complexType>
375	                         <xs:sequence>
376	                           <xs:element name="domain"
377	                             minOccurs="0" maxOccurs="unbounded">
378	                             <xs:complexType>
379	                               <xs:attribute name="val"
380	                                 type="xs:string" use="required"/>
381	                             </xs:complexType>
382	                           </xs:element>
383	                         </xs:sequence>
384	                       </xs:complexType>
385	                     </xs:element>

387	                     <xs:element name="exception">
388	                       <xs:complexType>
389	                         <xs:sequence>
390	                           <xs:element name="domain"
391	                             minOccurs="0" maxOccurs="unbounded">
392	                             <xs:complexType>
393	                               <xs:attribute name="val"
394	                                 type="xs:string" use="required"/>
395	                             </xs:complexType>
396	                           </xs:element>
397	                           <xs:element name="id"
398	                             minOccurs="0" maxOccurs="unbounded">
399	                             <xs:complexType>
400	                               <xs:attribute name="val"
401	                                 type="xs:string" use="required"/>
402	                             </xs:complexType>
403	                           </xs:element>
404	                         </xs:sequence>
405	                       </xs:complexType>
406	                     </xs:element>

408	                     <xs:element name="any-identity" type="xs:string"/>

410	                   </xs:choice>
411	                 </xs:complexType>
412	               </xs:element>

414	               <xs:element name="sphere"
415	                 minOccurs="0" maxOccurs="unbounded">
416	                 <xs:complexType>
417	                   <xs:attribute name="val"
418	                     type="xs:string" use="required"/>
419	                 </xs:complexType>
420	               </xs:element>

422	               <xs:any namespace="##other" processContents="lax"
423	                 minOccurs="0" maxOccurs="unbounded"/>

425	             </xs:sequence>
426	           </xs:complexType>
427	         </xs:element>

429	         <!-- Actions -->

431	         <xs:element name="actions" minOccurs="0">
432	           <xs:complexType>
433	             <xs:sequence>
434	               <xs:any namespace="##other" processContents="lax"
435	                 minOccurs="0" maxOccurs="unbounded"/>
436	             </xs:sequence>
437	           </xs:complexType>
438	         </xs:element>

440	         <!-- Transformations -->

442	         <xs:element name="transformations" minOccurs="0">
443	           <xs:complexType>
444	             <xs:sequence>
445	               <xs:any namespace="##other" processContents="lax"
446	                 minOccurs="0" maxOccurs="unbounded" />

448	             </xs:sequence>
449	           </xs:complexType>
450	         </xs:element>

452	       </xs:sequence>

454	       <xs:attribute name="id" type="xs:string" use="required"/>

456	     </xs:complexType>

458	   </xs:schema>

460	7.  Security Considerations

462	   [tbd]

464	8.  IANA Considerations

466	   [tbd]

468	9.  Open Issues

470	   1) SAML assertions with authorization decision statements.

472	   2) SAML assertions with attribute statements.

474	   3) Alignment with Common Policy markup language.

476	   4) Security Considerations.

478	   5) IANA considerations.

480	10.  References

482	10.1  Normative References

484	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
485	              Requirement Levels", March 1997.

487	   [SAMLAuthnContext]
488	              OASIS, "Authentication Context for the OASIS Security
489	              Assertion Markup Language (SAML) V2.0", OASIS
490	              Standard saml-authn-context-2.0-os.pdf, March 2005.

492	   [SAMLCore]
493	              OASIS, "Assertions and Protocol for the OASIS Security
494	              Assertion Markup Language (SAML) V2.0", OASIS
495	              Standard saml-core-2.0-os.pdf, March 2005.

497	10.2  Informative References

499	   [I-D.ietf-geopriv-common-policy]
500	              Schulzrinne, H., Morris, J., Tschofenig, H., Polk, J., and
501	              J. Rosenberg, "A Document Format for Expressing Privacy
502	              Preferences", draft-ietf-geopriv-common-policy-04 (work in
503	              progress), February 2005.

505	Author's Address

507	   Christian Guenther
508	   Siemens
509	   Otto-Hahn-Ring 6
510	   Munich, Bavaria  81739
511	   Germany

513	   Email: christian.guenther@siemens.com

515	Intellectual Property Statement

517	   The IETF takes no position regarding the validity or scope of any
518	   Intellectual Property Rights or other rights that might be claimed to
519	   pertain to the implementation or use of the technology described in
520	   this document or the extent to which any license under such rights
521	   might or might not be available; nor does it represent that it has
522	   made any independent effort to identify any such rights.  Information
523	   on the procedures with respect to rights in RFC documents can be
524	   found in BCP 78 and BCP 79.

526	   Copies of IPR disclosures made to the IETF Secretariat and any
527	   assurances of licenses to be made available, or the result of an
528	   attempt made to obtain a general license or permission for the use of
529	   such proprietary rights by implementers or users of this
530	   specification can be obtained from the IETF on-line IPR repository at
531	   http://www.ietf.org/ipr.

533	   The IETF invites any interested party to bring to its attention any
534	   copyrights, patents or patent applications, or other proprietary
535	   rights that may cover technology that may be required to implement
536	   this standard.  Please address the information to the IETF at
537	   ietf-ipr@ietf.org.

539	Disclaimer of Validity

541	   This document and the information contained herein are provided on an
542	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
543	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
544	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
545	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
546	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
547	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

549	Copyright Statement

551	   Copyright (C) The Internet Society (2005).  This document is subject
552	   to the rights, licenses and restrictions contained in BCP 78, and
553	   except as set forth therein, the authors retain all their rights.

555	Acknowledgment

557	   Funding for the RFC Editor function is currently provided by the
558	   Internet Society.