<NOTE:
Registration of MIME media type application/samlassertion+xml
sstc-saml-2.0-application-samlassertion-registration-00
Jeff Hodges <Jeff(_dot_)Hodges(_at_)Sun(_dot_)com>
21-Aug-2004
This document supersedes draft-hodges-saml-mediatype-02.txt. It
is intended to be included in sstc-saml-bindings-2.0-cd-02 (ie the next
time [SAMLv2Bind] is rev'd) as an appendix. Please refer to the bibliography
below.
For an overview of the intricities involved when a non-IETF organization
registers a MIME media type in the "standards tree" (aka "IETF tree"),
please see http://www.w3.org/2002/06/registering-mediatype.html.
The below registration material is intended to satisfy the requirements
stated in draft-freed-media-type-reg-01.txt (which supersedes
draft-freed-mime-p4-04.txt).
This "NOTE" is intended to be removed upon copying this document's
content into [SAMLv2Bind].
Acknowledgments: Thanks to Ned Freed and Larry Masinter for their
comments on a prior draft of this registration. The security
considerations section leverages that of
http://www.iana.org/assignments/media-types/application/vnd.paos+xml, by
John Kemp.
To: ietf-types(_at_)iana(_dot_)org
Subject: Registration of MIME media type application/samlassertion+xml
Introduction
This document defines a MIME media type --
application/samlassertion+xml -- for use with the XML serialization
of SAML (Security Assertion Markup Language) assertions.
The SAML specification sets -- [SAMLv1.0], [SAMLv1.1], [SAMLv2.0] --
are work products of the OASIS Security Services Technical Committee
[SSTC]. The SAML specifications define XML-based constructs with
which one may make, and convey, security assertions. Using SAML, one
can assert that an authentication event pertaining to some subject
has occured and convey said assertion to a relying party, for
example.
SAML assertions, which are explicitly versioned, are defined by
[SAMLv1Core], [SAMLv11Core], and [SAMLv2Core].
MIME media type name: application
MIME subtype name: samlassertion+xml
Required parameters: none
Optional parameters: charset
Same as charset parameter of application/xml [RFC3023].
Encoding considerations:
Same as for application/xml [RFC3023].
Security considerations:
Per their specification, samlassertion+xml typed objects do not
contain executable content. However, SAML assertions are XML-based
objects [XML]. As such, they have all of the general security
considerations presented in section 10 of [RFC3023], as well as
additional ones, since they are explicit security objects. For
example, samlassertion+xml typed objects will often contain data
that may identify or pertain to a natural person, and may be used as
a basis for sessions and access control decisions.
To counter potential issues, samlassertion+xml typed objects contain
data that should be signed appropriately by the sender. Any such
signature must be verified by the recipient of the data - both as a
valid signature, and as being the signature of the sender. Issuers
of samlassertion+xml objects containing SAMLv2 assertions may also
encrypt all, or portions of, the assertions [SAMLv2Core].
In addition, SAML profiles and protocol bindings specify use of
secure channels as appropriate.
[SAMLv2.0] incorporates various privacy-protection techniques in its
design. For example: opaque handles, specific to interactions
between specific system entities, are assigned to subjects. The
handles are mappable to wider-context identifiers (e.g. email
addresses, account identifiers, etc) by only the specific parties.
For a more detailed discussion of SAML security considerations and
specific security-related design techniques, please refer to the
SAML specifications listed in the below bibliography. The
specifications containing security-specific information have been
explicitly listed for each version of SAML.
Interoperability considerations:
SAML assertions are explicitly versioned. Relying parties should
ensure that they observe assertion version information and behave
accordingly. See "Chapter 4 SAML Versioning" in [SAMLv1Core],
[SAMLv11Core], or [SAMLv2Core], as appropriate.
Published specification:
[SAMLv2Bind] explicitly specifies use of the
application/samlassertion+xml MIME media type. However, it is
conceivable that non-SAMLv2 assertions (i.e. SAMLv1 and/or SAMLv1.1)
might in practice be conveyed using SAMLv2 bindings.
Applications which use this media type:
Potentially any application implementing SAML, as well as those
applications implementing specifications based on SAML, e.g. those
available from the Liberty Alliance [LAP].
Additional information:
Magic number(s):
In general, the same as for application/xml [RFC3023]. In
particular, the XML root element of the returned object will be
<saml:Assertion>, where "saml" maps to a version-specific SAML
assertion namespace, as defined by the appropriate SAML "core"
specification (see bibliography). In the case of SAMLv2.0, the
root element of the returned object may be either
<saml:Assertion> or <saml:EncryptedAssertion>, where "saml"
maps to the SAMLv2.0 assertion namespace:
urn:oasis:names:tc:SAML:2.0:assertion
File extension(s): none
Macintosh File Type Code(s): none
Person & email address to contact for further information:
This registration is made on behalf of the OASIS Security Services
Technical Committee (SSTC) Please refer to the SSTC website for
current information on committee chairperson(s) and their contact
addresses: http://www.oasis-open.org/committees/security/. Committee
members should submit comments and potential errata to the
securityservices(_at_)lists(_dot_)oasis-open(_dot_)org list. Others
should submit
them by filling out the web form located at
http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=secur
Additionally, the SAML developer community email distribution list,
saml-dev(_at_)lists(_dot_)oasis-open(_dot_)org, may be employed to
discuss usage of
the application/samlassertion+xml MIME media type. The "saml-dev"
mailing list is publicly archived here:
http://lists.oasis-open.org/archives/saml-dev/. To post to the
"saml-dev" mailing list, one must subscribe to it. To subscribe,
send a message with the single word "subscribe" in the message body,
to: saml-dev-request(_at_)lists(_dot_)oasis-open(_dot_)org(_dot_)
Intended usage: COMMON
Author/Change controller:
The SAML specification sets are a work product of the OASIS Security
Services Technical Committee (SSTC). OASIS and the SSTC have change
control over the SAML specification sets.
Bibliography
[LAP] "Liberty Alliance Project". See
http://www.projectliberty.org/
[OASIS] "Organization for the Advancement of Structured
Information Systems". See http://www.oasis-open.org/
[RFC3023] M. Murata, S. St.Laurent, D. Kohn, "XML Media Types",
IETF Request for Comments 3023, January 2001. Available
as http://www.rfc-editor.org/rfc/rfc3023.txt
[SAMLv1.0] OASIS Security Services Technical Committee, "Security
Assertion Markup Language (SAML) Version 1.0
Specification Set". OASIS Standard 200205, November
2002. Available as
http://www.oasis-open.org/committees/download.php/2290/
oasis-sstc-saml-1.0.zip
[SAMLv1Bind] Prateek Mishra et al., "Bindings and Profiles for the
OASIS Security Assertion Markup Language (SAML)",
OASIS, November 2002. Document ID
oasis-sstc-saml-bindings-1.0. See
http://www.oasis-open.org/committees/security/
[SAMLv1Core] Phillip Hallam-Baker et al., "Assertions and Protocol
for the OASIS Security Assertion Markup Language
(SAML)", OASIS, November 2002. Document ID
oasis-sstc-saml-core-1.0. See
http://www.oasis-open.org/committees/security/
[SAMLv1Sec] Chris McLaren et al., "Security Considerations for the
OASIS Security Assertion Markup Language (SAML)",
OASIS, November 2002. Document ID
oasis-sstc-saml-sec-consider-1.0. See
http://www.oasis-open.org/committees/security/
[SAMLv1.1] OASIS Security Services Technical Committee, "Security
Assertion Markup Language (SAML) Version 1.1
Specification Set". OASIS Standard 200308, August
2003. Available as
http://www.oasis-open.org/committees/download.php/3400/
oasis-sstc-saml-1.1-pdf-xsd.zip
[SAMLv11Bind] E. Maler et al. "Bindings and Profiles for the OASIS
Security Assertion Markup Language (SAML)". OASIS,
September 2003. Document ID
oasis-sstc-saml-bindings-1.1.
http://www.oasis-open.org/committees/security/
[SAMLv11Core] E. Maler et al. "Assertions and Protocol for the OASIS
Security Assertion Markup Language (SAML)". OASIS,
September 2003. Document ID oasis-sstc-saml-core-1.1.
http://www.oasis-open.org/committees/security/
[SAMLv11Sec] E. Maler et al. "Security Considerations for the OASIS
Security Assertion Markup Language (SAML)". OASIS,
September 2003. Document ID
oasis-sstc-saml-sec-consider-1.1.
http://www.oasis-open.org/committees/security/
[SAMLv2.0] OASIS Security Services Technical Committee, "Security
Assertion Markup Language (SAML) Version 2.0
Specification Set". WORK IN PROGRESS. Available at
http://www.oasis-open.org/committees/security/
[SAMLv2Bind] S. Cantor et al., "Bindings for the OASIS Security
Assertion Markup Language (SAML) V2.0". OASIS SSTC,
August 2004. Document ID
sstc-saml-bindings-2.0-cd-01, WORK IN PROGRESS. See
http://www.oasis-open.org/committees/security/
[SAMLv2Core] S. Cantor et al., "Assertions and Protocols for the
OASIS Security Assertion Markup Language (SAML)
V2.0". OASIS SSTC, August 2004. Document ID
sstc-saml-core-2.0-cd-01, WORK IN PROGRESS. See
http://www.oasis-open.org/committees/security/
[SAMLv2Prof] S. Cantor et al., "Profiles for the OASIS Security
Assertion Markup Language (SAML) V2.0". OASIS SSTC,
August 2004. Document ID
sstc-saml-profiles-2.0-cd-01, WORK IN PROGRESS. See
http://www.oasis-open.org/committees/security/
[SAMLv2Sec] F. Hirsch et al., "Security and Privacy Considerations
for the OASIS Security Assertion Markup Language
(SAML) V2.0". OASIS SSTC, August 2004, WORK IN
PROGRESS. Document ID
sstc-saml-sec-consider-2.0-cd-01. See
http://www.oasis-open.org/committees/security/
[SSTC] "OASIS Security Services Technical Committee". See
http://www.oasis-open.org/committees/security/
[XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M. and E. Maler,
"Extensible Markup Language (XML) 1.0 (Second
Edition)", World Wide Web Consortium Recommendation
REC-xml, October 2000, Available as
http://www.w3.org/TR/REC-xml