SAML vocabulary extension for OTTO Draft-01
otto-saml-draft-01

Abstract

This specification describes a method for packaging information about SAML-based federations, and establishing mechanisms for its validation. It includes term definitions which appear in the current JSON-LD context for the OTTO 1.0 specification.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on August 26, 2018.

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

1. Introduction
2. Requirements Language
3. Notational Conventions
4. OTTO SAML Vocabulary Extension

4.1. SAML Entities
4.2. samlEntityDescriptor
4.3. samlServiceProviderEndpoint
4.4. samlIdentityProvider
4.5. samlAttributeAuthorityEndpoint

5. Acknowledgements
6. IANA Considerations
7. Security Considerations
8. References

8.1. Normative References
8.2. Informative References

Author's Address

1. Introduction

The Open Trust Taxonomy for Federation Operators ("OTTO") defines an extension mechanism to allow the community to add functionality in a community compatible way. This specification was developed to enable OTTO federations to support SAML-based identity services, and defines all the terms used in the JSON-LD context file which the extension covers.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

3. Notational Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

Unless otherwise noted, all protocol properties and values are case sensitive.

4. OTTO SAML Vocabulary Extension

4.1. SAML Entities

samlEntitiesDescriptor
Property	Expected Type	Description
id	samlMD:ID	unique identifier for this collection of SAML entity descriptors
name	string	name of this collection of SAML entity descriptors
validUntil	dateTime	This collection of SAML entity descriptors is valid until the specified date and time
publicationInfo	samlMdRpi	Publisher and creation date for this collection of SAML entity descriptors
EntityDescriptor or array of EntityDescriptor	samlEntityDescriptor	an entity descriptor included in this collection

4.2. samlEntityDescriptor

samlEntityDescriptor
Property	Expected Type	Description
samlEntityCategory	samlEntityCategory or array of samlEntityCategory	URI identifier for a registered Refeds Entity Category (e.g., Research and Scholarship)
entity	Otto:Entity	Elements that are common to both SAML Entities and Otto Entities
samlServiceProvider	samlServiceProviderEndpoint or array of samlServiceProviderEndpoint	The attributes of the Service Provider Endpoints provided by this entity
samlIdentityProvider	samlIdentityProviderEndpoint or array of samlIdentityProviderEndpoint	The attributes of the Identity Provider Endpoints provided by this entity
samlAttributeAuthority	samlAttributeAuthorityEndpoint or array of samlAttributeAuthorityEndpoint	The The attributes of the Attribute Authority Endpoints provided by this entity

4.3. samlServiceProviderEndpoint

samlServiceProviderEndpoint
Property	Expected Type	Description
supportedSamlVersion	samlVersionId or array of samlVersionId
samlKey	xml representation of mdKeyDescriptor	Keys for signing (and encryption)
discoveryResponse	mdExtDiscoveryResponse or indexed array of mdExtDiscoveryResponse	URL(s) of the SSO Endpoints associated with this SAML Service Provider Entity
keyDescriptor	mdKeyDescriptor of arra of mdKeyDescriptor	Public keys for SAML signing and encryption
assertionConsumer	mdIndexedEndpointType or array of mdIndexedEndpointType	URLs and type of endpoint that will be consuming attributes
attributeConsumer	mdAttributeConsumerElement	Name and descriptive label and list of attributes for the service that will be consuming attributes
Requested Attributes	List of attributes as defined in \|SAML:Metadata\|	Friendly name and name format of requested attributes

4.4. samlIdentityProvider

samlIdentityProvider
Property	Expected Type	Description
supportedSamlVersion	samlVersionId or array of samlVersionId	List of supported SAML versions
samlUiMetadata	samlUIMetadataType	descriptive information about the IdP User Interface
samlKey	xml representation of mdKeyDescriptor	Keys for signing (and encryption)
samlIdPDomain	samlMd:Scope	The domain for which this Identity Provider is authorized to make assertions
samlIdentityProviderBinding	samlIdentityProviderSSOBinding or array of samlIdentityProviderSSOBinding	The binding supported by this IdP
samlAttributeAuthority	samlAttributeAuthorityEndpoint	The Attribute Authority endpoint associated with this IdP

4.5. samlAttributeAuthorityEndpoint

samlAttributeAuthorityEndpoint
Property	Expected Type	Description
supportedSamlVersion	samlVersionId or array of samlVersionId	List of supported SAML versions
samlKey	xml representation of mdKeyDescriptor	Keys for signing (and encryption)
samlAaDomain	samlMd:Scope	The domain for which this Attribute Authority is authorized to make assertions
samlAttributeAuthorityBinding	samlAttributeAuthoritySSOBinding or array of samlIdentityProviderSSOBinding	The binding supported by this Attribute Authority

5. Acknowledgements

TBD

6. IANA Considerations

This memo includes no request to IANA.

7. Security Considerations

TBD

8. References

8.1. Normative References

[RFC2119]

Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.

8.2. Informative References

[RFC6749]

Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012.

Author's Address

Keith Hazelton (editor) University of Wisconsin-Madison 1210 W Dayton St. Madison, Wisconsin 53706 US Phone: +1 608 262 0771 EMail: hazelton@wisc.edu