|
184 | 184 | <t> |
185 | 185 | This section updates |
186 | 186 | "Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 |
187 | | - Client Authentication and Authorization Grants" <xref target="RFC7522"/> |
188 | | - to tighten its audience requirements. |
| 187 | + Client Authentication and Authorization Grants" <xref target="RFC7522"/>. |
| 188 | + It tightens its audience requirements for SAML authorization grants and |
| 189 | + it deprecates the use of SAML assertions for client authentication. |
| 190 | + </t> |
| 191 | + <t> |
| 192 | + The text and example in Section 2.2 of <xref target="RFC7522"/> |
| 193 | + (Using SAML Assertions for Client Authentication) |
| 194 | + is replaced by: |
| 195 | + <list style="empty"> |
| 196 | + <t> |
| 197 | + It is RECOMMENDED that SAML Bearer Assertions |
| 198 | + not be used for for client authentication. |
| 199 | + </t> |
| 200 | + </list> |
189 | 201 | </t> |
190 | 202 | <t> |
191 | 203 | The description of the Audience element in Item 2 of |
|
195 | 207 | <t> |
196 | 208 | The Assertion MUST contain a <Conditions> element |
197 | 209 | with an <AudienceRestriction> element |
198 | | - with a single <Audience> element that identifies the |
| 210 | + with an <Audience> element that identifies the |
199 | 211 | authorization server as the intended audience. |
200 | | - The value of the <Audience> element MUST be |
201 | | - the issuer identifier <xref target="RFC8414"/> of the authorization server. |
| 212 | + It is the responsibility of the client to use only |
| 213 | + audience values that |
| 214 | + are specific to the authorization server being used. |
| 215 | + This MAY be |
| 216 | + the issuer identifier of the authorization server, |
| 217 | + the token endpoint URL of the authorization server, or |
| 218 | + a SAML Entity ID. |
202 | 219 | Section 2.5.1.4 of |
203 | 220 | "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0" |
204 | 221 | <xref target="OASIS.saml-core-2.0-os"/> |
205 | 222 | defines the <AudienceRestriction> and <Audience> elements. |
206 | | - Unlike the audience value specified in <xref target="RFC7522"/>, |
207 | | - there MUST be no value other than |
208 | | - the issuer identifier of the intended authorization server |
209 | | - used as the audience of the assertion; |
210 | | - this includes that the token endpoint URL of the authorization server |
211 | | - MUST NOT be used as an audience value. |
212 | | - <vspace blankLine="1"/> |
213 | | - |
214 | 223 | The authorization server MUST reject any assertion that does not |
215 | | - contain its own issuer identifier as the sole audience value. |
| 224 | + contain its own identity as the intended audience. |
216 | 225 | </t> |
217 | 226 | </list> |
218 | 227 | </t> |
|
241 | 250 | In the same section, the SAML 2.0 Assertion example is replaced by: |
242 | 251 | </preamble> |
243 | 252 | <artwork><![CDATA[ |
244 | | - <Assertion IssueInstant="2024-11-17T00:53:34.619Z" |
| 253 | + <Assertion IssueInstant="2025-07-17T00:53:34.619Z" |
245 | 254 | ID="ef1xsbZxPV2oqjd7HTLRLIBlBb7" |
246 | 255 | Version="2.0" |
247 | 256 | xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> |
|
257 | 266 | <SubjectConfirmation |
258 | 267 | Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> |
259 | 268 | <SubjectConfirmationData |
260 | | - NotOnOrAfter="2024-11-17T00:58:34.619Z" |
| 269 | + NotOnOrAfter="2025-07-17T00:58:34.619Z" |
261 | 270 | Recipient="https://authz.example.net/token.oauth2"/> |
262 | 271 | </SubjectConfirmation> |
263 | 272 | </Subject> |
|
266 | 275 | <Audience>https://authz.example.net</Audience> |
267 | 276 | </AudienceRestriction> |
268 | 277 | </Conditions> |
269 | | - <AuthnStatement AuthnInstant="2024-11-17T00:53:34.371Z"> |
| 278 | + <AuthnStatement AuthnInstant="2025-07-17T00:53:34.371Z"> |
270 | 279 | <AuthnContext> |
271 | 280 | <AuthnContextClassRef> |
272 | 281 | urn:oasis:names:tc:SAML:2.0:ac:classes:X509 |
|
276 | 285 | </Assertion> |
277 | 286 | ]]></artwork> |
278 | 287 | </figure> |
279 | | - <t> |
280 | | - In the list of agreements required by participants |
281 | | - in Section 5 of <xref target="RFC7521"/> (Interoperability Considerations), |
282 | | - "audience identifiers" is removed from the list. |
283 | | - </t> |
| 288 | + |
284 | 289 | </section> |
285 | 290 |
|
286 | 291 | <section title="Updates to RFC 7523" anchor="RFC7523Updates"> |
|
811 | 816 | be the issuer identifier, so as to make a minimum of breaking changes. |
812 | 817 | </t> |
813 | 818 | <t> |
814 | | - Deprecated SAML client authentication in RFC 7522. (still TBD in this draft) |
| 819 | + Deprecated the use of SAML assertions for client authentication. |
815 | 820 | </t> |
816 | 821 | </list> |
817 | 822 | </t> |
|
0 commit comments