<NOTE:
Registration of MIME media type application/samlmetadata+xml
sstc-saml-2.0-application-samlmetadata-registration-00
Jeff Hodges <Jeff(_dot_)Hodges(_at_)Sun(_dot_)com>
23-Aug-2004
This document is intended to be included in
sstc-saml-metadata-2.0-cd-02 (ie the next time [SAMLv2Meta] is
rev'd), as an appendix. Please refer to the bibliography below.
Please see http://www.w3.org/2002/06/registering-mediatype.html for
an overview of the intricities involved when a non-IETF organization
registers a MIME media type in the "standards tree" (aka "IETF
tree").
The below registration material is intended to satisfy the
requirements stated in draft-freed-media-type-reg-01.txt (which
superseded draft-freed-mime-p4-04.txt).
This "NOTE" is intended to be removed upon copying this document's
content into [SAMLv2Meta].
Acknowledgments: Thanks to Ned Freed and Larry Masinter for their
comments on a draft of a related registration. The security
considerations section leverages that of
http://www.iana.org/assignments/media-types/application/vnd.paos+xml,
by John Kemp.
To: ietf-types(_at_)iana(_dot_)org
Subject: Registration of MIME media type application/samlmetadata+xml
Introduction
This document defines a MIME media type --
application/samlmetadata+xml -- for use with the XML
serialization of Security Assertion Markup Language metadata.
SAML is a work product of the OASIS Security Services Technical
Committee [SSTC]. The SAML specifications define XML-based
constructs with which one may make, and convey, security
assertions. Using SAML, one can assert that an authentication
event pertaining to some subject has occurred and convey said
assertion to a relying party, for example.
SAML profiles require agreements between system entities
regarding identifiers, binding support, endpoints, certificates,
keys, and so forth. Such information is treated as metadata by
SAML v2.0. [SAMLv2Meta] specifies this metadata, as well as
specifying metadata publication and resolution mechanisms. If
the publishing protocol permits MIME-based identification of
content types, then use of the application/samlmetadata+xml MIME
media type is required.
MIME media type name: application
MIME subtype name: samlmetadata+xml
Required parameters: none
Optional parameters: charset
Same as charset parameter of application/xml [RFC3023].
Encoding considerations:
Same as for application/xml [RFC3023].
Security considerations:
Per their specification, samlmetadata+xml typed objects do not
contain executable content. However, these objects are XML-based
[XML], and thus they have all of the general security
considerations presented in section 10 of [RFC3023].
SAML metadata [SAMLv2Meta] contains information whose integrity
and authenticity is important \x96 identity provider and service
provider public keys and endpoint addresses, for example.
To counter potential issues, the publisher may sign
samlmetadata+xml typed objects. Any such signature should be
verified by the recipient of the data - both as a valid
signature, and as being the signature of the publisher.
Additionally, various of the publication protocols, e.g.
HTTP-over-TLS/SSL, offer means for ensuring the authenticity of
the publishing party and for protecting the metadata in transit.
[SAMLv2Meta] also defines prescriptive metadata caching
directives, as well as guidance on handling HTTPS redirects,
trust processing, server authentication, and related items.
For a more detailed discussion of SAML v2.0 metadata and its
security considerations, please see [SAMLv2Meta]. For a
discussion of overall SAML v2.0 security considerations and
specific security-related design features, please refer to the
SAML v2.0 specifications listed in the below bibliography. The
specifications containing security-specific information are
explicitly listed.
Interoperability considerations:
SAML v2.0 metadata explicitly supports identifying the protocols
and versions supported by the identified entities. For example,
an identity provider entity can be denoted as supporting SAML
v2.0, SAML v1.1 [SAMLv1.1], Liberty ID-FF 1.2 [LAPFF], or even
other protocols if they are unambiguously identifiable via URI
[RFC2396]. This protocol support information is conveyed via the
protocolSupportEnumeration attribute of metadata objects of the
RoleDescriptorType.
Published specification:
[SAMLv2Meta] explicitly specifies use of the
application/samlmetadata+xml MIME media type.
Applications which use this media type:
Potentially any application implementing SAML v2.0, as well as
those applications implementing specifications based on SAML,
e.g. those available from the Liberty Alliance [LAP].
Additional information:
Magic number(s):
In general, the same as for application/xml [RFC3023]. In
particular, the XML root element of the returned object
will be one of <md:EntityDescriptor>,
<md:AffiliationDescriptor>, or <md:EntitiesDescriptor>.
where "md" maps to the SAML v2.0 metadata namespace:
urn:oasis:names:tc:SAML:2.0:metadata
File extension(s): none
Macintosh File Type Code(s): none
Person & email address to contact for further information:
This registration is made on behalf of the OASIS Security
Services Technical Committee (SSTC) Please refer to the SSTC
website for current information on committee chairperson(s) and
their contact addresses:
http://www.oasis-open.org/committees/security/. Committee
members should submit comments and potential errata to the
securityservices(_at_)lists(_dot_)oasis-open(_dot_)org list. Others
should submit
them by filling out the web form located at
http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=s
Additionally, the SAML developer community email distribution
list, saml-dev(_at_)lists(_dot_)oasis-open(_dot_)org, may be employed to
discuss
usage of the application/samlmetadata+xml MIME media type. The
"saml-dev" mailing list is publicly archived here:
http://lists.oasis-open.org/archives/saml-dev/. To post to the
"saml-dev" mailing list, one must subscribe to it. To subscribe,
send a message with the single word "subscribe" in the message
body, to: saml-dev-request(_at_)lists(_dot_)oasis-open(_dot_)org(_dot_)
Intended usage: COMMON
Author/Change controller:
The SAML specification sets are a work product of the OASIS
Security Services Technical Committee (SSTC). OASIS and the SSTC
have change control over the SAML specification sets.
Bibliography
[LAP] "Liberty Alliance Project". See
http://www.projectliberty.org/
[LAPFF] "Liberty Alliance Project: Federation Framework".
See http://www.projectliberty.org/resources/
specifications.php#box1
[OASIS] "Organization for the Advancement of Structured
Information Systems". See
http://www.oasis-open.org/
[RFC2396] T. Berners-Lee, R. Fielding, L. Masinter, Uniform
Resource Identifiers (URI): Generic Syntax. IETF
RFC 2396, August 1998. Available at
http://www.ietf.org/rfc/rfc2396.txt
[RFC3023] M. Murata, S. St.Laurent, D. Kohn, "XML Media Types",
IETF Request for Comments 3023, January 2001.
Available as
http://www.rfc-editor.org/rfc/rfc3023.txt
[SAMLv1.1] OASIS Security Services Technical Committee,
"Security Assertion Markup Language (SAML)
Version 1.1 Specification Set". OASIS Standard
200308, August 2003. Available as
http://www.oasis-open.org/committees/download.php
/3400/oasis-sstc-saml-1.1-pdf-xsd.zip
[SAMLv2.0] OASIS Security Services Technical Committee,
"Security Assertion Markup Language (SAML)
Version 2.0 Specification Set". WORK IN PROGRESS.
Available at
http://www.oasis-open.org/committees/security/
[SAMLv2Bind] S. Cantor et al., "Bindings for the OASIS Security
Assertion Markup Language (SAML) V2.0". OASIS
SSTC, August 2004. Document ID
sstc-saml-bindings-2.0-cd-01, WORK IN PROGRESS.
See
http://www.oasis-open.org/committees/security/
[SAMLv2Core] S. Cantor et al., "Assertions and Protocols for the
OASIS Security Assertion Markup Language (SAML)
V2.0". OASIS SSTC, August 2004. Document ID
sstc-saml-core-2.0-cd-01, WORK IN PROGRESS. See
http://www.oasis-open.org/committees/security/
[SAMLv2Meta] S. Cantor et al., Metadata for the OASIS Security
Assertion Markup Language (SAML) V2.0. OASIS
SSTC, August 2004. Document ID
sstc-saml-metadata-2.0-cd-01. See
http://www.oasis-open.org/committees/security/
[SAMLv2Prof] S. Cantor et al., "Profiles for the OASIS Security
Assertion Markup Language (SAML) V2.0". OASIS
SSTC, August 2004. Document ID
sstc-saml-profiles-2.0-cd-01, WORK IN PROGRESS.
See
http://www.oasis-open.org/committees/security/
[SAMLv2Sec] F. Hirsch et al., "Security and Privacy
Considerations for the OASIS Security Assertion
Markup Language (SAML) V2.0". OASIS SSTC, August
2004, WORK IN PROGRESS. Document ID
sstc-saml-sec-consider-2.0-cd-01. See
http://www.oasis-open.org/committees/security/
[SSTC] "OASIS Security Services Technical Committee". See
http://www.oasis-open.org/committees/security/
[XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M. and E. Maler,
"Extensible Markup Language (XML) 1.0 (Second
Edition)", World Wide Web Consortium
Recommendation REC-xml, October 2000, Available
as http://www.w3.org/TR/REC-xml
---
end