Post on 19-Jan-2016
Using SAML for SIP
<draft-tschofenig-sip-saml-00.txt>
H. Tschofenig, J. Peterson, J. Polk, D. Sicker, M. Tegnander
Overview
<draft-ietf-sipping-trait-authz-00.txt> presents
— a problem statement
— scenarios and
— requirements
Using Security Assertion Markup Language (SAML) in collaboration with SIP provides a solution for trait-based authorization.
Draft Content - In a Nutshell
Three parties:— User— Asserting Party (creates Assertions/Artifact) = "Authentication
Server"— Relying Party (verifies Assertions/Artifact)
SAML Push Model— Uses Assertions in a "Call by value" style
SAML Pull Model— Uses Artifacts in a "Call by reference" style
Two ways of attaching the Assertions/Artifacts— Separate exchange with the Authentication Server— SIP messages traverse Authentication Server
Open Issues (1)
Issue:
— Reference integrity of SAML Assertions and SIP sessions
Proposal:
— Reuse existing work by Jon
Issue:
— Where should the Assertions be attached?
Proposal:
— SIP UA adds Assertions in body; SIP proxies add them by reference (Artifacts) in the SIP header
Open Issue (2)
Issue:
— Artifact should include a URL to enable easier dereference
Proposal:
— Change it with the next version of the draft
Issue:
— Option-tags need to be introduced (required / supported option-tag)
Proposal:
— Add them with the next version
Open Issue (3)
Further issues:
— Relationship with Liberty Alliance
— More details for the described scenarios
Please send comments!
Questions?