Using SAML for SIP

<draft-tschofenig-sip-saml-00.txt>

H. Tschofenig, J. Peterson, J. Polk, D. Sicker, M. Tegnander

Overview

<draft-ietf-sipping-trait-authz-00.txt> presents

— a problem statement

— scenarios and

— requirements

Using Security Assertion Markup Language (SAML) in collaboration with SIP provides a solution for trait-based authorization.

Draft Content - In a Nutshell

Three parties:— User— Asserting Party (creates Assertions/Artifact) = "Authentication

Server"— Relying Party (verifies Assertions/Artifact)

SAML Push Model— Uses Assertions in a "Call by value" style

SAML Pull Model— Uses Artifacts in a "Call by reference" style

Two ways of attaching the Assertions/Artifacts— Separate exchange with the Authentication Server— SIP messages traverse Authentication Server

Open Issues (1)

Issue:

— Reference integrity of SAML Assertions and SIP sessions

Proposal:

— Reuse existing work by Jon

Issue:

— Where should the Assertions be attached?

Proposal:

— SIP UA adds Assertions in body; SIP proxies add them by reference (Artifacts) in the SIP header

Open Issue (2)

Issue:

— Artifact should include a URL to enable easier dereference

Proposal:

— Change it with the next version of the draft

Issue:

— Option-tags need to be introduced (required / supported option-tag)

Proposal:

— Add them with the next version

Open Issue (3)

Further issues:

— Relationship with Liberty Alliance

— More details for the described scenarios

Please send comments!

Questions?