draft-ietf-kitten-sasl-saml-ec-14.txt   draft-ietf-kitten-sasl-saml-ec-15.txt 
Network Working Group S. Cantor Network Working Group S. Cantor
Internet-Draft Shibboleth Consortium Internet-Draft Shibboleth Consortium
Intended status: Standards Track S. Josefsson Intended status: Standards Track S. Josefsson
Expires: April 12, 2016 SJD AB Expires: October 26, 2017 SJD AB
October 10, 2015 April 24, 2017
SAML Enhanced Client SASL and GSS-API Mechanisms SAML Enhanced Client SASL and GSS-API Mechanisms
draft-ietf-kitten-sasl-saml-ec-14.txt draft-ietf-kitten-sasl-saml-ec-15.txt
Abstract Abstract
Security Assertion Markup Language (SAML) 2.0 is a generalized Security Assertion Markup Language (SAML) 2.0 is a generalized
framework for the exchange of security-related information between framework for the exchange of security-related information between
asserting and relying parties. Simple Authentication and Security asserting and relying parties. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to facilitate an Interface (GSS-API) are application frameworks to facilitate an
extensible authentication model. This document specifies a SASL and extensible authentication model. This document specifies a SASL and
GSS-API mechanism for SAML 2.0 that leverages the capabilities of a GSS-API mechanism for SAML 2.0 that leverages the capabilities of a
SAML-aware "enhanced client" to address significant barriers to SAML-aware "enhanced client" to address significant barriers to
federated authentication in a manner that encourages reuse of federated authentication in a manner that encourages reuse of
existing SAML bindings and profiles designed for non-browser existing SAML bindings and profiles designed for non-browser
scenarios. scenarios.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 12, 2016. This Internet-Draft will expire on October 26, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Applicability for Non-HTTP Use Cases . . . . . . . . . . . . . 7 3. Applicability for Non-HTTP Use Cases . . . . . . . . . . . . 5
4. SAML Enhanced Client SASL Mechanism Specification . . . . . . 10 4. SAML Enhanced Client SASL Mechanism Specification . . . . . . 8
4.1. Advertisement . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Advertisement . . . . . . . . . . . . . . . . . . . . . . 8
4.2. Initiation . . . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Initiation . . . . . . . . . . . . . . . . . . . . . . . 8
4.3. Server Response . . . . . . . . . . . . . . . . . . . . . 11 4.3. Server Response . . . . . . . . . . . . . . . . . . . . . 9
4.4. User Authentication with Identity Provider . . . . . . . . 11 4.4. User Authentication with Identity Provider . . . . . . . 9
4.5. Client Response . . . . . . . . . . . . . . . . . . . . . 11 4.5. Client Response . . . . . . . . . . . . . . . . . . . . . 9
4.6. Outcome . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.6. Outcome . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.7. Additional Notes . . . . . . . . . . . . . . . . . . . . . 12 4.7. Additional Notes . . . . . . . . . . . . . . . . . . . . 10
5. SAML EC GSS-API Mechanism Specification . . . . . . . . . . . 13 5. SAML EC GSS-API Mechanism Specification . . . . . . . . . . . 10
5.1. GSS-API Credential Delegation . . . . . . . . . . . . . . 13 5.1. GSS-API Credential Delegation . . . . . . . . . . . . . . 11
5.2. GSS-API Channel Binding . . . . . . . . . . . . . . . . . 14 5.2. GSS-API Channel Binding . . . . . . . . . . . . . . . . . 12
5.3. Session Key Derivation . . . . . . . . . . . . . . . . . . 15 5.3. Session Key Derivation . . . . . . . . . . . . . . . . . 12
5.3.1. Generated by Identity Provider . . . . . . . . . . . . 15 5.3.1. Generated by Identity Provider . . . . . . . . . . . 13
5.3.2. Alternate Key Derivation Mechanisms . . . . . . . . . 16 5.3.2. Alternate Key Derivation Mechanisms . . . . . . . . . 14
5.4. Per-Message Tokens . . . . . . . . . . . . . . . . . . . . 17 5.4. Per-Message Tokens . . . . . . . . . . . . . . . . . . . 14
5.5. Pseudo-Random Function (PRF) . . . . . . . . . . . . . . . 17 5.5. Pseudo-Random Function (PRF) . . . . . . . . . . . . . . 15
5.6. GSS-API Principal Name Types for SAML EC . . . . . . . . . 17 5.6. GSS-API Principal Name Types for SAML EC . . . . . . . . 15
5.6.1. User Naming Considerations . . . . . . . . . . . . . . 18 5.6.1. User Naming Considerations . . . . . . . . . . . . . 16
5.6.2. Service Naming Considerations . . . . . . . . . . . . 19 5.6.2. Service Naming Considerations . . . . . . . . . . . . 17
6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7. Security Considerations . . . . . . . . . . . . . . . . . . . 28 7. Security Considerations . . . . . . . . . . . . . . . . . . . 25
7.1. Risks Left Unaddressed . . . . . . . . . . . . . . . . . . 28 7.1. Risks Left Unaddressed . . . . . . . . . . . . . . . . . 26
7.2. User Privacy . . . . . . . . . . . . . . . . . . . . . . . 28 7.2. User Privacy . . . . . . . . . . . . . . . . . . . . . . 26
7.3. Collusion between RPs . . . . . . . . . . . . . . . . . . 29 7.3. Collusion between RPs . . . . . . . . . . . . . . . . . . 27
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
8.1. GSS-API and SASL Mechanism Registration . . . . . . . . . 30 8.1. GSS-API and SASL Mechanism Registration . . . . . . . . . 27
8.2. XML Namespace Name for SAML-EC . . . . . . . . . . . . . . 30 8.2. XML Namespace Name for SAML-EC . . . . . . . . . . . . . 27
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1. Normative References . . . . . . . . . . . . . . . . . . . 31 9.1. Normative References . . . . . . . . . . . . . . . . . . 28
9.2. Normative References for GSS-API Implementers . . . . . . 32 9.2. Normative References for GSS-API Implementers . . . . . . 29
9.3. Informative References . . . . . . . . . . . . . . . . . . 33 9.3. Informative References . . . . . . . . . . . . . . . . . 30
Appendix A. XML Schema . . . . . . . . . . . . . . . . . . . . . 35 Appendix A. XML Schema . . . . . . . . . . . . . . . . . . . . . 31
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 37 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 33
Appendix C. Changes . . . . . . . . . . . . . . . . . . . . . . . 38 Appendix C. Changes . . . . . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction 1. Introduction
Security Assertion Markup Language (SAML) 2.0 Security Assertion Markup Language (SAML) 2.0
[OASIS.saml-core-2.0-os] is a modular specification that provides [OASIS.saml-core-2.0-os] is a modular specification that provides
various means for a user to be identified to a relying party (RP) various means for a user to be identified to a relying party (RP)
through the exchange of (typically signed) assertions issued by an through the exchange of (typically signed) assertions issued by an
identity provider (IdP). It includes a number of protocols, protocol identity provider (IdP). It includes a number of protocols, protocol
bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles
[OASIS.saml-profiles-2.0-os] designed for different use cases. [OASIS.saml-profiles-2.0-os] designed for different use cases.
skipping to change at page 10, line 13 skipping to change at page 8, line 13
Figure 2: Authentication flow Figure 2: Authentication flow
4. SAML Enhanced Client SASL Mechanism Specification 4. SAML Enhanced Client SASL Mechanism Specification
Based on the previous figures, the following operations are defined Based on the previous figures, the following operations are defined
by the SAML SASL mechanism: by the SAML SASL mechanism:
4.1. Advertisement 4.1. Advertisement
To advertise that a server supports this mechanism, during To advertise that a server supports this mechanism, during
application session initiation, it displays the name "SAML20EC" application session initiation, it displays the name "SAML20EC" and/
and/or "SAML20EC-PLUS" in the list of supported SASL mechanisms. or "SAML20EC-PLUS" in the list of supported SASL mechanisms.
In accordance with [RFC5801] the "-PLUS" variant indicates that the In accordance with [RFC5801] the "-PLUS" variant indicates that the
server supports channel binding and would be selected by a client server supports channel binding and would be selected by a client
with that capability. with that capability.
4.2. Initiation 4.2. Initiation
A client initiates "SAML20EC" or "SAML20EC-PLUS" authentication. If A client initiates "SAML20EC" or "SAML20EC-PLUS" authentication. If
supported by the application protocol, the client MAY include an supported by the application protocol, the client MAY include an
initial response, otherwise it waits until the server has issued an initial response, otherwise it waits until the server has issued an
skipping to change at page 16, line 21 skipping to change at page 14, line 9
MUST encrypt the assertion (implying that it MUST have the means to MUST encrypt the assertion (implying that it MUST have the means to
do so, typically knowledge of a key associated with the RP). If do so, typically knowledge of a key associated with the RP). If
multiple assertions are issued (allowed, but not typical), the multiple assertions are issued (allowed, but not typical), the
element need only be included in one of the assertions issued for use element need only be included in one of the assertions issued for use
by the relying party. by the relying party.
A copy of the element is also added as a SOAP header block in the A copy of the element is also added as a SOAP header block in the
response from the identity provider to the client (and then removed response from the identity provider to the client (and then removed
when constructing the response to the acceptor). when constructing the response to the acceptor).
If this mechanism is used by the initiator, then the <samlec: If this mechanism is used by the initiator, then the
SessionKey> SOAP header block attached to the final client response <samlec:SessionKey> SOAP header block attached to the final client
message will identify this via the omission of the Algorithm response message will identify this via the omission of the Algorithm
attribute and will identify the chosen encryption type using the attribute and will identify the chosen encryption type using the
<samlec:EncType> element: <samlec:EncType> element:
<samlec:SessionKey xmlns:samlec="urn:ietf:params:xml:ns:samlec" <samlec:SessionKey xmlns:samlec="urn:ietf:params:xml:ns:samlec"
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
S:mustUnderstand="1" S:mustUnderstand="1"
S:actor="http://schemas.xmlsoap.org/soap/actor/next"> S:actor="http://schemas.xmlsoap.org/soap/actor/next">
<samlec:EncType>17</samlec:EncType> <samlec:EncType>17</samlec:EncType>
<samlec:SessionKey> <samlec:SessionKey>
Both the initiator and acceptor MUST execute the chosen encryption Both the initiator and acceptor MUST execute the chosen encryption
type's random-to-key function over the pseudorandom value provided by type's random-to-key function over the pseudorandom value provided by
the <samlec:GeneratedKey> element. The result of that function is the <samlec:GeneratedKey> element. The result of that function is
used as the protocol and session key. Support for subkeys from the used as the protocol and session key. Support for subkeys from the
initiator or acceptor is not specified. initiator or acceptor is not specified.
5.3.2. Alternate Key Derivation Mechanisms 5.3.2. Alternate Key Derivation Mechanisms
In the event that a client is proving possession of a secret or In the event that a client is proving possession of a secret or
private key, a formal key agreement algorithm might be supported. private key, a formal key agreement algorithm might be supported.
This specification does not define such a mechanism, but the <samlec: This specification does not define such a mechanism, but the
SessionKey> element is extensible to allow for future work in this <samlec:SessionKey> element is extensible to allow for future work in
space by means of the Algorithm attribute and an optional <ds: this space by means of the Algorithm attribute and an optional
KeyInfo> child element to carry extensible content related to key <ds:KeyInfo> child element to carry extensible content related to key
establishment. establishment.
However a key is derived, the <samlec:EncType> element will identify However a key is derived, the <samlec:EncType> element will identify
the chosen encrytion type, and both the initiator and acceptor MUST the chosen encrytion type, and both the initiator and acceptor MUST
execute the encryption type's random-to-key function over the result execute the encryption type's random-to-key function over the result
of the key agreement or derivation process. The result of that of the key agreement or derivation process. The result of that
function is used as the protocol key. function is used as the protocol key.
5.4. Per-Message Tokens 5.4. Per-Message Tokens
skipping to change at page 18, line 48 skipping to change at page 16, line 37
constructed as a UTF-8 string in the following form: constructed as a UTF-8 string in the following form:
name = element-value "!" Format "!" NameQualifier name = element-value "!" Format "!" NameQualifier
"!" SPNameQualifier "!" SPProvidedID "!" SPNameQualifier "!" SPProvidedID
The "element-value" token refers to the content of the <saml:NameID> The "element-value" token refers to the content of the <saml:NameID>
element. The other tokens refer to the identically named XML element. The other tokens refer to the identically named XML
attributes defined for use with the element. If an attribute is not attributes defined for use with the element. If an attribute is not
present, which is common, it is omitted (i.e., replaced with the present, which is common, it is omitted (i.e., replaced with the
empty string). The Format value is never omitted; if not present, empty string). The Format value is never omitted; if not present,
the SAML-equivalent value of the SAML-equivalent value of "urn:oasis:names:tc:SAML:1.1:nameid-
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" is used. format:unspecified" is used.
Not all SAML assertions contain a <saml:NameID> element. In the Not all SAML assertions contain a <saml:NameID> element. In the
event that no such element is present, including the exceptional event that no such element is present, including the exceptional
cases of a <saml:BaseID> element or a <saml:EncryptedID> element that cases of a <saml:BaseID> element or a <saml:EncryptedID> element that
cannot be decrypted, the GSS_C_NT_ANONYMOUS name type MUST be used cannot be decrypted, the GSS_C_NT_ANONYMOUS name type MUST be used
for the initiator name. for the initiator name.
As noted in the previous section, it is expected that most As noted in the previous section, it is expected that most
applications able to rely on SAML authentication would make use of applications able to rely on SAML authentication would make use of
naming extensions to obtain additional information about the user naming extensions to obtain additional information about the user
skipping to change at page 31, line 12 skipping to change at page 28, line 14
Registrant Contact: the IESG Registrant Contact: the IESG
9. References 9. References
9.1. Normative References 9.1. Normative References
[OASIS.saml-bindings-2.0-os] [OASIS.saml-bindings-2.0-os]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Maler, "Bindings for the OASIS Security Assertion Markup Maler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS Language (SAML) V2.0", OASIS Standard saml-bindings-
Standard saml-bindings-2.0-os, March 2005. 2.0-os, March 2005.
[OASIS.saml-core-2.0-os] [OASIS.saml-core-2.0-os]
Cantor, S., Kemp, J., Philpott, R., and E. Maler, Cantor, S., Kemp, J., Philpott, R., and E. Maler,
"Assertions and Protocol for the OASIS Security Assertion "Assertions and Protocol for the OASIS Security Assertion
Markup Language (SAML) V2.0", OASIS Standard saml-core- Markup Language (SAML) V2.0", OASIS Standard saml-core-
2.0-os, March 2005. 2.0-os, March 2005.
[OASIS.saml-profiles-2.0-os] [OASIS.saml-profiles-2.0-os]
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
P., Philpott, R., and E. Maler, "Profiles for the OASIS P., Philpott, R., and E. Maler, "Profiles for the OASIS
Security Assertion Markup Language (SAML) V2.0", OASIS Security Assertion Markup Language (SAML) V2.0", OASIS
Standard OASIS.saml-profiles-2.0-os, March 2005. Standard OASIS.saml-profiles-2.0-os, March 2005.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, DOI 10.17487/RFC2617, June 1999, RFC 2617, DOI 10.17487/RFC2617, June 1999,
<http://www.rfc-editor.org/info/rfc2617>. <http://www.rfc-editor.org/info/rfc2617>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
skipping to change at page 32, line 4 skipping to change at page 29, line 6
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
Authentication and Security Layer (SASL)", RFC 4422, Authentication and Security Layer (SASL)", RFC 4422,
DOI 10.17487/RFC4422, June 2006, DOI 10.17487/RFC4422, June 2006,
<http://www.rfc-editor.org/info/rfc4422>. <http://www.rfc-editor.org/info/rfc4422>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<http://www.rfc-editor.org/info/rfc4648>. <http://www.rfc-editor.org/info/rfc4648>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ (TLS) Protocol Version 1.2", RFC 5246,
RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>. <http://www.rfc-editor.org/info/rfc5246>.
[SAMLECP20] [SAMLECP20]
Cantor, S., "SAML V2.0 Enhanced Client or Proxy Profile Cantor, S., "SAML V2.0 Enhanced Client or Proxy Profile
Version 2.0", OASIS Committee Specification OASIS.sstc- Version 2.0", OASIS Committee Specification OASIS.sstc-
saml-ecp-v2.0-cs01, August 2013. saml-ecp-v2.0-cs01, August 2013.
[W3C.soap11] [W3C.soap11]
Box, D., Ehnebuske, D., Kakivaya, G., Layman, A., Box, D., Ehnebuske, D., Kakivaya, G., Layman, A.,
Mendelsohn, N., Nielsen, H., Thatte, S., and D. Winer, Mendelsohn, N., Nielsen, H., Thatte, S., and D. Winer,
"Simple Object Access Protocol (SOAP) 1.1", W3C "Simple Object Access Protocol (SOAP) 1.1", W3C
Note soap11, May 2000, <http://www.w3.org/TR/SOAP/>. Note soap11, May 2000, <http://www.w3.org/TR/SOAP/>.
9.2. Normative References for GSS-API Implementers 9.2. Normative References for GSS-API Implementers
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, DOI 10.17487/ Interface Version 2, Update 1", RFC 2743,
RFC2743, January 2000, DOI 10.17487/RFC2743, January 2000,
<http://www.rfc-editor.org/info/rfc2743>. <http://www.rfc-editor.org/info/rfc2743>.
[RFC3961] Raeburn, K., "Encryption and Checksum Specifications for [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February
February 2005, <http://www.rfc-editor.org/info/rfc3961>. 2005, <http://www.rfc-editor.org/info/rfc3961>.
[RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES)
Encryption for Kerberos 5", RFC 3962, DOI 10.17487/ Encryption for Kerberos 5", RFC 3962,
RFC3962, February 2005, DOI 10.17487/RFC3962, February 2005,
<http://www.rfc-editor.org/info/rfc3962>. <http://www.rfc-editor.org/info/rfc3962>.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121, Interface (GSS-API) Mechanism: Version 2", RFC 4121,
DOI 10.17487/RFC4121, July 2005, DOI 10.17487/RFC4121, July 2005,
<http://www.rfc-editor.org/info/rfc4121>. <http://www.rfc-editor.org/info/rfc4121>.
[RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API [RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API
Extension for the Generic Security Service Application Extension for the Generic Security Service Application
Program Interface (GSS-API)", RFC 4401, DOI 10.17487/ Program Interface (GSS-API)", RFC 4401,
RFC4401, February 2006, DOI 10.17487/RFC4401, February 2006,
<http://www.rfc-editor.org/info/rfc4401>. <http://www.rfc-editor.org/info/rfc4401>.
[RFC4402] Williams, N., "A Pseudo-Random Function (PRF) for the [RFC4402] Williams, N., "A Pseudo-Random Function (PRF) for the
Kerberos V Generic Security Service Application Program Kerberos V Generic Security Service Application Program
Interface (GSS-API) Mechanism", RFC 4402, DOI 10.17487/ Interface (GSS-API) Mechanism", RFC 4402,
RFC4402, February 2006, DOI 10.17487/RFC4402, February 2006,
<http://www.rfc-editor.org/info/rfc4402>. <http://www.rfc-editor.org/info/rfc4402>.
[RFC5554] Williams, N., "Clarifications and Extensions to the [RFC5554] Williams, N., "Clarifications and Extensions to the
Generic Security Service Application Program Interface Generic Security Service Application Program Interface
(GSS-API) for the Use of Channel Bindings", RFC 5554, (GSS-API) for the Use of Channel Bindings", RFC 5554,
DOI 10.17487/RFC5554, May 2009, DOI 10.17487/RFC5554, May 2009,
<http://www.rfc-editor.org/info/rfc5554>. <http://www.rfc-editor.org/info/rfc5554>.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms Service Application Program Interface (GSS-API) Mechanisms
skipping to change at page 33, line 33 skipping to change at page 30, line 39
[RFC7056] Hartman, S. and J. Howlett, "Name Attributes for the GSS- [RFC7056] Hartman, S. and J. Howlett, "Name Attributes for the GSS-
API Extensible Authentication Protocol (EAP) Mechanism", API Extensible Authentication Protocol (EAP) Mechanism",
RFC 7056, DOI 10.17487/RFC7056, December 2013, RFC 7056, DOI 10.17487/RFC7056, December 2013,
<http://www.rfc-editor.org/info/rfc7056>. <http://www.rfc-editor.org/info/rfc7056>.
9.3. Informative References 9.3. Informative References
[OASIS.saml-metadata-2.0-os] [OASIS.saml-metadata-2.0-os]
Cantor, S., Moreh, J., Philpott, R., and E. Maler, Cantor, S., Moreh, J., Philpott, R., and E. Maler,
"Metadata for the Security Assertion Markup Language "Metadata for the Security Assertion Markup Language
(SAML) V2.0", OASIS Standard saml-metadata-2.0-os, (SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March
March 2005. 2005.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, DOI 10.17487/ Transfer Protocol -- HTTP/1.1", RFC 2616,
RFC2616, June 1999, DOI 10.17487/RFC2616, June 1999,
<http://www.rfc-editor.org/info/rfc2616>. <http://www.rfc-editor.org/info/rfc2616>.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, DOI 10.17487/RFC3920, Protocol (XMPP): Core", RFC 3920, DOI 10.17487/RFC3920,
October 2004, <http://www.rfc-editor.org/info/rfc3920>. October 2004, <http://www.rfc-editor.org/info/rfc3920>.
[RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based
Kerberos and NTLM HTTP Authentication in Microsoft Kerberos and NTLM HTTP Authentication in Microsoft
Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006,
<http://www.rfc-editor.org/info/rfc4559>. <http://www.rfc-editor.org/info/rfc4559>.
[W3C.REC-xmlschema-1] [W3C.REC-xmlschema-1]
Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn,
"XML Schema Part 1: Structures", W3C REC-xmlschema-1, "XML Schema Part 1: Structures", W3C REC-xmlschema-1, May
May 2001, <http://www.w3.org/TR/xmlschema-1/>. 2001, <http://www.w3.org/TR/xmlschema-1/>.
[WSS-SAML] [WSS-SAML]
Monzillo, R., "Web Services Security SAML Token Profile Monzillo, R., "Web Services Security SAML Token Profile
Version 1.1.1", OASIS Standard OASIS.wss-SAMLTokenProfile, Version 1.1.1", OASIS Standard OASIS.wss-SAMLTokenProfile,
May 2012. May 2012.
Appendix A. XML Schema Appendix A. XML Schema
The following schema formally defines the The following schema formally defines the
"urn:ietf:params:xml:ns:samlec" namespace used in this document, in "urn:ietf:params:xml:ns:samlec" namespace used in this document, in
 End of changes. 21 change blocks. 
77 lines changed or deleted 77 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/