OASIS Service Provisioning Markup Language (SPML) V2 - SAML 2.0 Profile

2OASIS Service Provisioning Markup 3Language (SPML) v2 - SAML 2.0 4Profile

5OASIS Standard 62006 April 1

7Document identifier: pstc-spml2-saml-profile-os.pdf 8Location: http://www.oasis-open.org/committees/provision/docs/ 9Send comments to: [email protected] 10Editor: 11 Jeff Bohren, BMC ([email protected])

13Contributors: 14 Richard Sand, Tripod Technology Group 15 Blaine Busler, Tripod Technology Group 16 Robert Boucher, CA 17 Doron Cohen, BMC 18 Gary Cole, Sun Microsystems 19 Cal Collingham, CA 20 Rami Elron, BMC 21 Marco Fanti, Thor Technologies 22 Ian Glazer, IBM 23 James Hu, HP 24 Ron Jacobsen, CA 25 Jeff Larson, Sun Microsystems 26 Hal Lockhart, BEA 27 Prateek Mishra, Oracle Corporation 28 Martin Raepple, SAP 29 Darran Rolls, Sun Microsystems 30 Kent Spaulding, Sun Microsystems 31 Gavenraj Sodhi, CA 32 Cory Williams, IBM 33 Gerry Woods, SOA Software 34

36 This specification defines usage of SAML 2.0 as a data model (profile) for SPML v2. 37Status:

38 This is an OASIS Standard document produced by the Provisioning Services Technical 39 Committee. It was approved by the OASIS membership on 1 April 2006.

40 If you are on the provision list for committee members, send comments there. If you are not 41 on that list, subscribe to the [email protected] list and send 42 comments there. To subscribe, send an email message to provision-comment- 43 [email protected] with the word "subscribe" as the body of the message. 44Copyright (C) OASIS Open 2006. All Rights Reserved.

40c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 5Copyright © OASIS Open 2006. All Rights Reserved. Page 2 of 15 45Table of contents 461. Introduction (non-normative) 4 47 1.1. Concepts 4 48 1.1.1. SAML Protocol 4 49 1.1.2. Schema 4 50 1.2. Terminology 4 512. Notation 4 523. Overview (non-normative) 5 53 3.1. SAML PSOs 5 54 3.1.1. PSO Identifier 6 55 3.1.2. PSO Data 6 56 3.2. Schema 6 57 3.3. Core Operations 6 58 3.3.1. Add Request 6 59 3.3.2. Add Response 7 60 3.3.3. Modify Request 7 61 3.3.4. Modify Response 8 62 3.3.5. Delete Request 8 63 3.3.6. Lookup Request 8 64 3.3.7. Lookup Response 8 65 3.4. Search Operations 8 66 3.4.1. Search Request 9 67 3.4.2. Search Response 9 684. Specification (Normative) 10 69 4.1. Namespaces 10 70 4.2. Core Capability 10 71 4.2.1. Element 10 72 4.2.2. Element 10 73 4.2.3. Element 10 74 4.2.4. Element 10 75 4.3. Search Capability 11 76 4.3.1. Element 11 77 4.4. SAML Profile Schema 11 78 4.4.1. Element 11 79 4.4.2. Element 11 80 4.4.3. Element 11

851. Introduction (non-normative)

86 1.1. Concepts

87SPML Version 2 (SPMLv2) defines a core protocol [SPMLv2] over which different data models can 88be used to define the actual provisioning data. The combination of a data model with the SPML 89core specification is referred to as a profile. The use of SPML requires that a specific profile is used, 90although the choice of which profile is used to negatioted out-of-band by the participating parties. 91This document describes the use of the SAML protocol as a data model for SPML based 92provisioning. This profile is optional.

93 1.1.1. SAML Protocol 94The SAML 2.0 protocol [SAMLv2???] defines the syntax and processing semantics of 95assertions made about a subject by a system entity. ***Say some more here??

96 1.2. Terminology

97Within this document: 98- The term “requestor” always refers to a Requesting Authority (RA). 99- The term “provider” always refers to a Provisioning Service Provider (PSP). 100- The term “target” always refers to a Provisioning Service Target (PST). 101- The term “object” (unless otherwise qualified) refers to a Provisioning Service Object (PSO). 102- The term “client” (unless otherwise qualified) refers to a Requesting Authority (RA). 103- The term “server” (unless otherwise qualified) refers to a Provisioning Service Provider (PSP).

1042. Notation

105This specification contains schema conforming to W3C XML Schema and normative text to 106describe the syntax and semantics of XML-encoded policy statements. 107The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", 108"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be 109interpreted as described in IETF RFC 2119 [RFC2119] 110 "they MUST only be used where it is actually required for interoperation or to limit 111 behavior which has potential for causing harm (e.g., limiting retransmissions)" 112These keywords are thus capitalized when used to unambiguously specify requirements over 113protocol and application features and behavior that affect the interoperability and security of 114implementations. When these words are not capitalized, they are meant in their natural-language 115sense. 116This specification uses the following typographical conventions in text:

80c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 9Copyright © OASIS Open 2006. All Rights Reserved. Page 4 of 15 Format Description Indicates attributeName monospace font The name of an XML attribute. with first letter lower- cased SPMLElementName monospace font The name of an XML element with first letter capitalized that is defined as part of SPMLv2. ns:ForeignElementName monospace font The name of an XML element with namespace prefix that is defined by another specification.

monospace font An instance of an XML element surrounded by <> that is defined as part of SPMLv2.

monospace font An instance of an XML element with namespace prefix that is defined by another specification. surrounded by <>

117Terms in italic bold-face are intended to have the meaning defined in the Glossary.

118Listings of SPML schemas appear like this.

119 120Example code listings appear like this. 121Conventional XML namespace prefixes are used throughout the listings in this specification to 122stand for their respective namespaces as follows, whether or not a namespace declaration is 123present in the example: 124- The prefix saml: stands for the SAML assertion namespace [SAML]. 125- The prefix ds: stands for the W3C XML Signature namespace [DS]. 126- The prefix xsd: stands for the W3C XML Schema namespace [XS].

1273. Overview (non-normative)

128 3.1. SAML PSOs

129A PSO is represented in this binding by an SAML Attribute Assertion that is associated with a 130target-unique SAML identifier. 131The SAML Attribute Assertions are used to provide identity and attribute data for a Provisioning 132Service Object. The PSO is equivalent to a SAML Subject in this regard.

133 3.1.1. PSO Identifier

134The PSO Identifier may be one of several types of SAML NameID identifiers. However, not every 135identifier specified in SAML is allowed as an identifier for a PSO. The following SAML name 136identifiers are allowed: 137  Unspecified

138 URI: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 139 The interpretation of the content of the element is left to individual implementations.

100c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 11Copyright © OASIS Open 2006. All Rights Reserved. Page 5 of 15 140 141  E-Mail address 142 URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 143 144 Indicates that the content of the element is in the form of an email address, specifically 145 "addr-spec" as defined in IETF RFC 2822 [RFC 2822] Section 3.4.1. An addr-spec has the 146 form local-part@domain. Note that an addr-spec has no phrase (such as a common name) 147 before it, has no comment (text surrounded in parentheses) after it, and is not surrounded 148 by "<" and ">". 149 150  X509 Subject Name 151 URI: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName 152 153 Indicates that the content of the element is in the form specified for the contents of the 154 element in the XML Signature Recommendation [XMLSig]. 155 Implementors should note that the XML Signature specification specifies encoding rules for 156 X.509 subject names that differ from the rules given in IETF RFC 2253 [RFC 2253]. 157 158  WindowsDomainQualifiedname 159 URI: urn:oasis:names:tc:SAML:1.1:nameid- 160 format:WindowsDomainQualifiedName 161 162 Indicates that the content of the element is a Windows domain qualified name. A Windows 163 domain qualified user name is a string of the form "DomainName\UserName". The domain 164 name and "\" separator MAY be omitted. 165  Kerberos 166 URI: urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos 167 168 Indicates that the content of the element is in the form of a Kerberos principal name using 169 the format name[/instance]@REALM. The syntax, format and characters allowed for the 170 name, instance, and realm are described in IETF RFC 1510 [RFC 1510]. 171 172Below is an example of a psoID using a SAML X509 NameIdentifier. 173 174 175 cn=John Doe,dc=acme,dc=com 176 177

178 3.1.2. PSO Data

179The PSO Data element contains SAML Attribute Assertions, as defined in [SAML]. Additional data 180may be included via the Open Content Model. 181 182 183 184 [email protected] 185 186 187

189***how to handle schema with SAML?

190 3.3. Core Operations

191 3.3.1. Add Request

192The Add Request creates PSOs. The Add Request must contain a element that contains 193SAML 2.0 elements that define the new PSO. The Add Request may also pass a PSO 194Identifier ( element), a container PSO ID ( element), or a target ID 195( element). If a PSO identifier is not defined in the Add Request, the new PSO Identifier 196must be returned in the Add Response. 197 198 199 200 201 John 202 203 204 Doe 205 206 207 [email protected] 208 209 210

211 3.3.2. Add Response

212The Add Response message will contain the new PSO ID (unless it was specified in the Add 213Request). If the creation of the new PSO resulted in attributes being adding or modified in the new 214PSO, the entire PSO Data should be returned in the response. 215 216 217 cn=John Doe,dc=acme,dc=com 218 219 220 221 John 222 223 224 Doe 225 226 227 [email protected] 228 229 230 John Doe 231 232 233 jdoe 234 235 236

238The Modify Request modifies the specified PSO. The Modify Request must always contain the PSO 239Identifier. ??Modify will always replace *all* existing values for the specified attribute? If a MVA, can 240we specify the original value so we only replace 1? Is this beyond the score here?? 241 242 243 cn=John Doe,dc=acme,dc=com 244 245 246 247 Jane 248 249 250

251 3.3.4. Modify Response

252If the Modify Request causes the PSO ID to change, then the Modify Response must contain the 253new PSO ID. 254 256 257 cn=Jane Doe,dc=acme,dc=com 258 259

260 3.3.5. Delete Request

261The Delete Request deletes a specified PSO. 262 263 264 cn=John Doe,dc=acme,dc=com 265 266

268 3.3.6. Lookup Request

269The Lookup Request is used to retrieve the data for a specified PSO. 270 271 272 cn=John Doe,dc=acme,dc=com 273 274

275 3.3.7. Lookup Response

276The Lookup Response contains the retrieved PSO data. 277 279

160c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 17Copyright © OASIS Open 2006. All Rights Reserved. Page 8 of 15 280 cn=John Doe,dc=acme,dc=com 281 282 283 284 John 285 286 287 Doe 288 289 290 [email protected] 291 292 293 John Doe 294 295 296 jdoe 297 298 299

300 3.4. Search Operations

301If the Search Capability is supported, the SAML search filters and attribute declarations should be 302used to scope the results of the search.

303 3.4.1. Search Request

304The search request can specify SAML filters and attribute declarations. 305***How to handle search base “basePSOID”? What filter mechanism to use? DSML was specifically 306applicable here.. ?? 307 309 310*** example: firstname = John, get email 311 312

314 3.4.2. Search Response

315 316 319 320 321 cn=John Doe,dc=acme,dc=com 322 323 324 325 [email protected] 326 327 328

180c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 19Copyright © OASIS Open 2006. All Rights Reserved. Page 9 of 15 329 330 331 cn=John Smith,dc=acme,dc=com 332 333 334 335 [email protected] 336 337 338 339

3404. Specification (Normative)

341 4.1. Namespaces

342The SAMLv2 Profile uses the SAML 2.0 namespace which is defined as: 343 urn:oasis:names:tc:SAML:2.0 344The specification uses the prefix SAML: to refer to this namespace. 345The SAMLv2 Profile defines some elements that are specific to the profile. The namespace for the 346profile itself is defined as: 347 urn:oasis:names:tc:SPML:2:0:SAML 348The specification uses the prefix spmlSAML: to refer to this namespace.

349 4.2. Core Capability

350 4.2.1. Element

351The element MUST contain zero or many elements.

352 4.2.2. Element

353The element MUST contain zero or many elements. The 354“modificationType” on the MUST be specified.

355 4.2.3. Element

356***

357 4.2.4. Element

358The “entityName” attribute on the element MUST refer only to 359object classes defined in the referenced schema. All attributes on the referenced object classes are 360assumed to be supported. ***How this applies will depend on how we handle object classes in 361SAML??

363 4.3.1. Element

364***

365 4.4. SAML Profile Schema

366***

368 369 [AES] National Institute of Standards and Technology (NIST), FIPS-197: 370 Advanced Encryption Standard, 371 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, National 372 Institute of Standards and Technology (NIST) 373 [ARCHIVE-1] OASIS Provisioning Services Technical Committee, email archive, 374 http://www.oasis- 375 open.org/apps/org/workgroup/provision/email/archives/index.html, 376 OASIS PS-TC 377 [DS] IETF/W3C, W3C XML Signatures, http://www.w3.org/Signature/, 378 W3C/IETF 379 [GLOSSARY] OASIS Provisioning Services TC, Glossary of Terms, http://www.oasis- 380 open.org/apps/org/workgroup/provision/download.php, OASIS PS-TC 381 [RFC 2119] S. Bradner., Key words for use in RFCs to Indicate Requirement Levels, 382 http://www.ietf.org/rfc/rfc2119.txt, IETF 383 [RFC 2246] T. Dierks and C. Allen, The TLS Protocol, 384 http://www.ietf.org/rfc/rfc2246.txt, IETF 385 [SAML] OASIS Security Services TC, http://www.oasis- 386 open.org/committees/tc_home.php?wg_abbrev=security, OASIS SS- 387 TC 388 [SOAP] W3C XML Protocol Working Group, http://www.w3.org/2000/xp/Group/ 389 [SPML-Bind] OASIS Provisioning Services TC, SPML V1.0 Protocol Bindings, 390 http://www.oasis- 391 open.org/apps/org/workgroup/provision/download.php/1816/draft- 392 pstc-bindings-03.doc, OASIS PS-TC 393 [SPML-REQ] OASIS Provisioning Services Technical Committee, Requirements, 394 http://www.oasis- 395 open.org/apps/org/workgroup/provision/download.php/2277/draft- 396 pstc-requirements-01.doc, OASIS PS-TC 397 [SPML-UC] OASIS Provisioning Services Technical Committee, SPML V1.0 Use 398 Cases, http://www.oasis- 399 open.org/apps/org/workgroup/provision/download.php/988/drfat- 400 spml-use-cases-05.doc, OASIS PS-TC 401 [SPMLv2-Profile-SAML] OASIS Provisioning Services Technical Committee, SPMLv2 402 SAMLv2 Profile, OASIS PS-TC 403 [SPMLv2-Profile-XSD] OASIS Provisioning Services Technical Committee, SPML V2 404 XSD Profile, OASIS PS-TC 405 [SPMLv2-REQ] OASIS Provisioning Services Technical Committee, Requirements, OASIS 406 PS-TC 407 [SPMLv2-ASYNC] OASIS Provisioning Services Technical Committee, XML Schema 408 Definitions for Async Capability of SPMLv2, OASIS PS-TC

240c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 25Copyright © OASIS Open 2006. All Rights Reserved. Page 12 of 15 409 [SPMLv2-BATCH] OASIS Provisioning Services Technical Committee, XML Schema 410 Definitions for Batch Capability of SPMLv2, OASIS PS-TC 411 [SPMLv2-BULK] OASIS Provisioning Services Technical Committee, XML Schema 412 Definitions for Bulk Capability of SPMLv2, OASIS PS-TC 413 [SPMLv2-CORE] OASIS Provisioning Services Technical Committee, XML Schema 414 Definitions for Core Operations of SPMLv2, OASIS PS-TC 415 [SPMLv2-PASS] OASIS Provisioning Services Technical Committee, XML Schema 416 Definitions for Password Capability of SPMLv2, OASIS PS-TC 417 [SPMLv2-REF] OASIS Provisioning Services Technical Committee, XML Schema 418 Definitions for Reference Capability of SPMLv2, OASIS PS-TC 419 [SPMLv2-SEARCH] OASIS Provisioning Services Technical Committee, XML Schema 420 Definitions for Search Capability of SPMLv2, OASIS PS-TC 421 [SPMLv2-SUSPEND] OASIS Provisioning Services Technical Committee, XML Schema 422 Definitions for Suspend Capability of SPMLv2, OASIS PS-TC 423 [SPMLv2-UPDATES] OASIS Provisioning Services Technical Committee, XML Schema 424 Definitions for Updates Capability of SPMLv2, OASIS PS-TC 425 [SPMLv2-UC] OASIS Provisioning Services Technical Committee., SPML V2.0 Use 426 Cases, OASIS PS-TC 427 [WSS] OASIS Web Services Security (WSS) TC, http://www.oasis- 428 open.org/committees/tc_home.php?wg_abbrev=wss, OASIS SS-TC 429 [X509] RFC 2459 - Internet X.509 Public Key Infrastructure Certificate and CRL 430 Profile, http://www.ietf.org/rfc/rfc2459.txt 431 [XSD] W3C Schema WG ., W3C XML Schema, 432 http://www.w3.org/TR/xmlschema-1/ W3C 433 434 435

437The following individuals were voting members of the Provisioning Services committee at the time 438that this version of the specification was issued: 439 Richard Sand, Tripod Technology Group 440 Jeff Bohren, BMC 441 Robert Boucher, CA 442 Gary Cole, Sun Microsystems 443 Rami Elron, BMC 444 Marco Fanti, Thor Technologies 445 James Hu, HP 446 Martin Raepple, SAP 447 Gavenraj Sodhi, CA 448 Kent Spaulding, Sun Microsystems 449

451OASIS takes no position regarding the validity or scope of any intellectual property or other rights 452that might be claimed to pertain to the implementation or use of the technology described in this 453document or the extent to which any license under such rights might or might not be available; 454neither does it represent that it has made any effort to identify any such rights. Information on 455OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS 456website. Copies of claims of rights made available for publication and any assurances of licenses to 457be made available, or the result of an attempt made to obtain a general license or permission for 458the use of such proprietary rights by implementers or users of this specification, can be obtained 459from the OASIS Executive Director. 460OASIS has been notified of intellectual property rights claimed in regard to some or all of the 461contents of this specification. For more information consult the online list of claimed rights. 462OASIS invites any interested party to bring to its attention any copyrights, patents or patent 463applications, or other proprietary rights which may cover technology that may be required to 464implement this specification. Please address the information to the OASIS Executive Director. 465Copyright (C) OASIS Open 2006. All Rights Reserved. 466This document and translations of it may be copied and furnished to others, and derivative works 467that comment on or otherwise explain it or assist in its implementation may be prepared, copied, 468published and distributed, in whole or in part, without restriction of any kind, provided that the above 469copyright notice and this paragraph are included on all such copies and derivative works. However, 470this document itself may not be modified in any way, such as by removing the copyright notice or 471references to OASIS, except as needed for the purpose of developing OASIS specifications, in 472which case the procedures for copyrights defined in the OASIS Intellectual Property Rights 473document must be followed, or as required to translate it into languages other than English. 474The limited permissions granted above are perpetual and will not be revoked by OASIS or its 475successors or assigns. 476This document and the information contained herein is provided on an “AS IS” basis and OASIS 477DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO 478ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY 479RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 480PARTICULAR PURPOSE.