1
1
2OASIS Service Provisioning Markup 3Language (SPML) v2 - SAML 2.0 4Profile
5OASIS Standard 62006 April 1
7Document identifier: pstc-spml2-saml-profile-os.pdf 8Location: http://www.oasis-open.org/committees/provision/docs/ 9Send comments to: [email protected] 10Editor: 11 Jeff Bohren, BMC ([email protected])
13Contributors: 14 Richard Sand, Tripod Technology Group 15 Blaine Busler, Tripod Technology Group 16 Robert Boucher, CA 17 Doron Cohen, BMC 18 Gary Cole, Sun Microsystems 19 Cal Collingham, CA 20 Rami Elron, BMC 21 Marco Fanti, Thor Technologies 22 Ian Glazer, IBM 23 James Hu, HP 24 Ron Jacobsen, CA 25 Jeff Larson, Sun Microsystems 26 Hal Lockhart, BEA 27 Prateek Mishra, Oracle Corporation 28 Martin Raepple, SAP 29 Darran Rolls, Sun Microsystems 30 Kent Spaulding, Sun Microsystems 31 Gavenraj Sodhi, CA 32 Cory Williams, IBM 33 Gerry Woods, SOA Software 34
20c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 3Copyright © OASIS Open 2006. All Rights Reserved. Page 1 of 15 35Abstract:
36 This specification defines usage of SAML 2.0 as a data model (profile) for SPML v2. 37Status:
38 This is an OASIS Standard document produced by the Provisioning Services Technical 39 Committee. It was approved by the OASIS membership on 1 April 2006.
40 If you are on the provision list for committee members, send comments there. If you are not 41 on that list, subscribe to the [email protected] list and send 42 comments there. To subscribe, send an email message to provision-comment- 43 [email protected] with the word "subscribe" as the body of the message. 44Copyright (C) OASIS Open 2006. All Rights Reserved.
40c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 5Copyright © OASIS Open 2006. All Rights Reserved. Page 2 of 15 45Table of contents 461. Introduction (non-normative) 4 47 1.1. Concepts 4 48 1.1.1. SAML Protocol 4 49 1.1.2. Schema 4 50 1.2. Terminology 4 512. Notation 4 523. Overview (non-normative) 5 53 3.1. SAML PSOs 5 54 3.1.1. PSO Identifier 6 55 3.1.2. PSO Data 6 56 3.2. Schema 6 57 3.3. Core Operations 6 58 3.3.1. Add Request 6 59 3.3.2. Add Response 7 60 3.3.3. Modify Request 7 61 3.3.4. Modify Response 8 62 3.3.5. Delete Request 8 63 3.3.6. Lookup Request 8 64 3.3.7. Lookup Response 8 65 3.4. Search Operations 8 66 3.4.1. Search Request 9 67 3.4.2. Search Response 9 684. Specification (Normative) 10 69 4.1. Namespaces 10 70 4.2. Core Capability 10 71 4.2.1. Element
60c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 7Copyright © OASIS Open 2006. All Rights Reserved. Page 3 of 15 81Appendix A. References 12 82Appendix B. Acknowledgments 14 83Appendix C. Notices 15 84
851. Introduction (non-normative)
86 1.1. Concepts
87SPML Version 2 (SPMLv2) defines a core protocol [SPMLv2] over which different data models can 88be used to define the actual provisioning data. The combination of a data model with the SPML 89core specification is referred to as a profile. The use of SPML requires that a specific profile is used, 90although the choice of which profile is used to negatioted out-of-band by the participating parties. 91This document describes the use of the SAML protocol as a data model for SPML based 92provisioning. This profile is optional.
93 1.1.1. SAML Protocol 94The SAML 2.0 protocol [SAMLv2???] defines the syntax and processing semantics of 95assertions made about a subject by a system entity. ***Say some more here??
96 1.2. Terminology
97Within this document: 98- The term “requestor” always refers to a Requesting Authority (RA). 99- The term “provider” always refers to a Provisioning Service Provider (PSP). 100- The term “target” always refers to a Provisioning Service Target (PST). 101- The term “object” (unless otherwise qualified) refers to a Provisioning Service Object (PSO). 102- The term “client” (unless otherwise qualified) refers to a Requesting Authority (RA). 103- The term “server” (unless otherwise qualified) refers to a Provisioning Service Provider (PSP).
1042. Notation
105This specification contains schema conforming to W3C XML Schema and normative text to 106describe the syntax and semantics of XML-encoded policy statements. 107The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", 108"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be 109interpreted as described in IETF RFC 2119 [RFC2119] 110 "they MUST only be used where it is actually required for interoperation or to limit 111 behavior which has potential for causing harm (e.g., limiting retransmissions)" 112These keywords are thus capitalized when used to unambiguously specify requirements over 113protocol and application features and behavior that affect the interoperability and security of 114implementations. When these words are not capitalized, they are meant in their natural-language 115sense. 116This specification uses the following typographical conventions in text:
80c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 9Copyright © OASIS Open 2006. All Rights Reserved. Page 4 of 15 Format Description Indicates attributeName monospace font The name of an XML attribute. with first letter lower- cased SPMLElementName monospace font The name of an XML element with first letter capitalized that is defined as part of SPMLv2. ns:ForeignElementName monospace font The name of an XML element with namespace prefix that is defined by another specification.
117Terms in italic bold-face are intended to have the meaning defined in the Glossary.
118Listings of SPML schemas appear like this.
119 120Example code listings appear like this. 121Conventional XML namespace prefixes are used throughout the listings in this specification to 122stand for their respective namespaces as follows, whether or not a namespace declaration is 123present in the example: 124- The prefix saml: stands for the SAML assertion namespace [SAML]. 125- The prefix ds: stands for the W3C XML Signature namespace [DS]. 126- The prefix xsd: stands for the W3C XML Schema namespace [XS].
1273. Overview (non-normative)
128 3.1. SAML PSOs
129A PSO is represented in this binding by an SAML Attribute Assertion that is associated with a 130target-unique SAML identifier. 131The SAML Attribute Assertions are used to provide identity and attribute data for a Provisioning 132Service Object. The PSO is equivalent to a SAML Subject in this regard.
133 3.1.1. PSO Identifier
134The PSO Identifier may be one of several types of SAML NameID identifiers. However, not every 135identifier specified in SAML is allowed as an identifier for a PSO. The following SAML name 136identifiers are allowed: 137 Unspecified
138 URI: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 139 The interpretation of the content of the element is left to individual implementations.
100c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 11Copyright © OASIS Open 2006. All Rights Reserved. Page 5 of 15 140 141 E-Mail address 142 URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 143 144 Indicates that the content of the element is in the form of an email address, specifically 145 "addr-spec" as defined in IETF RFC 2822 [RFC 2822] Section 3.4.1. An addr-spec has the 146 form local-part@domain. Note that an addr-spec has no phrase (such as a common name) 147 before it, has no comment (text surrounded in parentheses) after it, and is not surrounded 148 by "<" and ">". 149 150 X509 Subject Name 151 URI: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName 152 153 Indicates that the content of the element is in the form specified for the contents of the 154
178 3.1.2. PSO Data
179The PSO Data element contains SAML Attribute Assertions, as defined in [SAML]. Additional data 180may be included via the Open Content Model. 181
120c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 13Copyright © OASIS Open 2006. All Rights Reserved. Page 6 of 15 188 3.2. Schema
189***how to handle schema with SAML?
190 3.3. Core Operations
191 3.3.1. Add Request
192The Add Request creates PSOs. The Add Request must contain a element that contains 193SAML 2.0
211 3.3.2. Add Response
212The Add Response message will contain the new PSO ID (unless it was specified in the Add 213Request). If the creation of the new PSO resulted in attributes being adding or modified in the new 214PSO, the entire PSO Data should be returned in the response. 215
140c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 15Copyright © OASIS Open 2006. All Rights Reserved. Page 7 of 15 237 3.3.3. Modify Request
238The Modify Request modifies the specified PSO. The Modify Request must always contain the PSO 239Identifier. ??Modify will always replace *all* existing values for the specified attribute? If a MVA, can 240we specify the original value so we only replace 1? Is this beyond the score here?? 241
251 3.3.4. Modify Response
252If the Modify Request causes the PSO ID to change, then the Modify Response must contain the 253new PSO ID. 254
260 3.3.5. Delete Request
261The Delete Request deletes a specified PSO. 262
267
268 3.3.6. Lookup Request
269The Lookup Request is used to retrieve the data for a specified PSO. 270
275 3.3.7. Lookup Response
276The Lookup Response contains the retrieved PSO data. 277
160c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 17Copyright © OASIS Open 2006. All Rights Reserved. Page 8 of 15 280
300 3.4. Search Operations
301If the Search Capability is supported, the SAML search filters and attribute declarations should be 302used to scope the results of the search.
303 3.4.1. Search Request
304The search request can specify SAML filters and attribute declarations. 305***How to handle search base “basePSOID”? What filter mechanism to use? DSML was specifically 306applicable here.. ?? 307
313
314 3.4.2. Search Response
315 316
180c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 19Copyright © OASIS Open 2006. All Rights Reserved. Page 9 of 15 329
3404. Specification (Normative)
341 4.1. Namespaces
342The SAMLv2 Profile uses the SAML 2.0 namespace which is defined as: 343 urn:oasis:names:tc:SAML:2.0 344The specification uses the prefix SAML: to refer to this namespace. 345The SAMLv2 Profile defines some elements that are specific to the profile. The namespace for the 346profile itself is defined as: 347 urn:oasis:names:tc:SPML:2:0:SAML 348The specification uses the prefix spmlSAML: to refer to this namespace.
349 4.2. Core Capability
350 4.2.1. Element
351The
352 4.2.2. Element
353The
355 4.2.3. Element
356***
357 4.2.4. Element
358The “entityName” attribute on the
200c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 21Copyright © OASIS Open 2006. All Rights Reserved. Page 10 of 15 362 4.3. Search Capability
363 4.3.1. Element
364***
365 4.4. SAML Profile Schema
366***
220c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 23Copyright © OASIS Open 2006. All Rights Reserved. Page 11 of 15 367Appendix A. References
368 369 [AES] National Institute of Standards and Technology (NIST), FIPS-197: 370 Advanced Encryption Standard, 371 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, National 372 Institute of Standards and Technology (NIST) 373 [ARCHIVE-1] OASIS Provisioning Services Technical Committee, email archive, 374 http://www.oasis- 375 open.org/apps/org/workgroup/provision/email/archives/index.html, 376 OASIS PS-TC 377 [DS] IETF/W3C, W3C XML Signatures, http://www.w3.org/Signature/, 378 W3C/IETF 379 [GLOSSARY] OASIS Provisioning Services TC, Glossary of Terms, http://www.oasis- 380 open.org/apps/org/workgroup/provision/download.php, OASIS PS-TC 381 [RFC 2119] S. Bradner., Key words for use in RFCs to Indicate Requirement Levels, 382 http://www.ietf.org/rfc/rfc2119.txt, IETF 383 [RFC 2246] T. Dierks and C. Allen, The TLS Protocol, 384 http://www.ietf.org/rfc/rfc2246.txt, IETF 385 [SAML] OASIS Security Services TC, http://www.oasis- 386 open.org/committees/tc_home.php?wg_abbrev=security, OASIS SS- 387 TC 388 [SOAP] W3C XML Protocol Working Group, http://www.w3.org/2000/xp/Group/ 389 [SPML-Bind] OASIS Provisioning Services TC, SPML V1.0 Protocol Bindings, 390 http://www.oasis- 391 open.org/apps/org/workgroup/provision/download.php/1816/draft- 392 pstc-bindings-03.doc, OASIS PS-TC 393 [SPML-REQ] OASIS Provisioning Services Technical Committee, Requirements, 394 http://www.oasis- 395 open.org/apps/org/workgroup/provision/download.php/2277/draft- 396 pstc-requirements-01.doc, OASIS PS-TC 397 [SPML-UC] OASIS Provisioning Services Technical Committee, SPML V1.0 Use 398 Cases, http://www.oasis- 399 open.org/apps/org/workgroup/provision/download.php/988/drfat- 400 spml-use-cases-05.doc, OASIS PS-TC 401 [SPMLv2-Profile-SAML] OASIS Provisioning Services Technical Committee, SPMLv2 402 SAMLv2 Profile, OASIS PS-TC 403 [SPMLv2-Profile-XSD] OASIS Provisioning Services Technical Committee, SPML V2 404 XSD Profile, OASIS PS-TC 405 [SPMLv2-REQ] OASIS Provisioning Services Technical Committee, Requirements, OASIS 406 PS-TC 407 [SPMLv2-ASYNC] OASIS Provisioning Services Technical Committee, XML Schema 408 Definitions for Async Capability of SPMLv2, OASIS PS-TC
240c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 25Copyright © OASIS Open 2006. All Rights Reserved. Page 12 of 15 409 [SPMLv2-BATCH] OASIS Provisioning Services Technical Committee, XML Schema 410 Definitions for Batch Capability of SPMLv2, OASIS PS-TC 411 [SPMLv2-BULK] OASIS Provisioning Services Technical Committee, XML Schema 412 Definitions for Bulk Capability of SPMLv2, OASIS PS-TC 413 [SPMLv2-CORE] OASIS Provisioning Services Technical Committee, XML Schema 414 Definitions for Core Operations of SPMLv2, OASIS PS-TC 415 [SPMLv2-PASS] OASIS Provisioning Services Technical Committee, XML Schema 416 Definitions for Password Capability of SPMLv2, OASIS PS-TC 417 [SPMLv2-REF] OASIS Provisioning Services Technical Committee, XML Schema 418 Definitions for Reference Capability of SPMLv2, OASIS PS-TC 419 [SPMLv2-SEARCH] OASIS Provisioning Services Technical Committee, XML Schema 420 Definitions for Search Capability of SPMLv2, OASIS PS-TC 421 [SPMLv2-SUSPEND] OASIS Provisioning Services Technical Committee, XML Schema 422 Definitions for Suspend Capability of SPMLv2, OASIS PS-TC 423 [SPMLv2-UPDATES] OASIS Provisioning Services Technical Committee, XML Schema 424 Definitions for Updates Capability of SPMLv2, OASIS PS-TC 425 [SPMLv2-UC] OASIS Provisioning Services Technical Committee., SPML V2.0 Use 426 Cases, OASIS PS-TC 427 [WSS] OASIS Web Services Security (WSS) TC, http://www.oasis- 428 open.org/committees/tc_home.php?wg_abbrev=wss, OASIS SS-TC 429 [X509] RFC 2459 - Internet X.509 Public Key Infrastructure Certificate and CRL 430 Profile, http://www.ietf.org/rfc/rfc2459.txt 431 [XSD] W3C Schema WG ., W3C XML Schema, 432 http://www.w3.org/TR/xmlschema-1/ W3C 433 434 435
260c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 27Copyright © OASIS Open 2006. All Rights Reserved. Page 13 of 15 436Appendix B. Acknowledgments
437The following individuals were voting members of the Provisioning Services committee at the time 438that this version of the specification was issued: 439 Richard Sand, Tripod Technology Group 440 Jeff Bohren, BMC 441 Robert Boucher, CA 442 Gary Cole, Sun Microsystems 443 Rami Elron, BMC 444 Marco Fanti, Thor Technologies 445 James Hu, HP 446 Martin Raepple, SAP 447 Gavenraj Sodhi, CA 448 Kent Spaulding, Sun Microsystems 449
280c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 29Copyright © OASIS Open 2006. All Rights Reserved. Page 14 of 15 450Appendix C. Notices
451OASIS takes no position regarding the validity or scope of any intellectual property or other rights 452that might be claimed to pertain to the implementation or use of the technology described in this 453document or the extent to which any license under such rights might or might not be available; 454neither does it represent that it has made any effort to identify any such rights. Information on 455OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS 456website. Copies of claims of rights made available for publication and any assurances of licenses to 457be made available, or the result of an attempt made to obtain a general license or permission for 458the use of such proprietary rights by implementers or users of this specification, can be obtained 459from the OASIS Executive Director. 460OASIS has been notified of intellectual property rights claimed in regard to some or all of the 461contents of this specification. For more information consult the online list of claimed rights. 462OASIS invites any interested party to bring to its attention any copyrights, patents or patent 463applications, or other proprietary rights which may cover technology that may be required to 464implement this specification. Please address the information to the OASIS Executive Director. 465Copyright (C) OASIS Open 2006. All Rights Reserved. 466This document and translations of it may be copied and furnished to others, and derivative works 467that comment on or otherwise explain it or assist in its implementation may be prepared, copied, 468published and distributed, in whole or in part, without restriction of any kind, provided that the above 469copyright notice and this paragraph are included on all such copies and derivative works. However, 470this document itself may not be modified in any way, such as by removing the copyright notice or 471references to OASIS, except as needed for the purpose of developing OASIS specifications, in 472which case the procedures for copyrights defined in the OASIS Intellectual Property Rights 473document must be followed, or as required to translate it into languages other than English. 474The limited permissions granted above are perpetual and will not be revoked by OASIS or its 475successors or assigns. 476This document and the information contained herein is provided on an “AS IS” basis and OASIS 477DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO 478ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY 479RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 480PARTICULAR PURPOSE.
300c759f64cb623dcecd6ce45eff772a26.doc 7/17/2006 31Copyright © OASIS Open 2006. All Rights Reserved. Page 15 of 15