Ticket 48707 - Draft Ldap SSO Token proposal

Description: This is the first revision of the Draft of LDAP SSO Sasl mech
we would like to design and add to DS.

Additionally, this provides the structure and make file to allow easier drafting
and implementation of further rfc topics.

https://fedorahosted.org/389/ticket/48707

Author: wibrown

Review by: mreynolds (Thanks!)

rfcs/Makefile

@@ -0,0 +1,13 @@
+
+allrfcs: folders examplerfcs draft-wibrown-ldapssotoken-00
+
+folders:
+	mkdir -p txt
+
+examplerfcs:
+	xml2rfc examples/template-bare-06.txt -o txt/template-bare-06.txt --text
+
+draft-wibrown-ldapssotoken-00:
+	xml2rfc src/draft-wibrown-ldapssotoken-00.xml -o txt/draft-wibrown-ldapssotoken-00.txt --text
+	xml2rfc src/draft-wibrown-ldapssotoken-00.xml -o txt/draft-wibrown-ldapssotoken-00.raw --raw
+

rfcs/examples/template-bare-06.txt

@@ -0,0 +1,426 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!-- This template is for creating an Internet Draft using xml2rfc,
+    which is available here: http://xml.resource.org. -->
+<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
+<!-- One method to get references from the online citation libraries.
+    There has to be one entity for each item to be referenced. 
+    An alternate method (rfc include) is described in the references. -->
+
+<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
+<!ENTITY RFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">
+<!ENTITY RFC3552 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3552.xml">
+<!ENTITY RFC5226 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml">
+]>
+<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
+<!-- used by XSLT processors -->
+<!-- For a complete list and description of processing instructions (PIs), 
+    please see http://xml.resource.org/authoring/README.html. -->
+<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
+    (Here they are set differently than their defaults in xml2rfc v1.32) -->
+<?rfc strict="yes" ?>
+<!-- give errors regarding ID-nits and DTD validation -->
+<!-- control the table of contents (ToC) -->
+<?rfc toc="yes"?>
+<!-- generate a ToC -->
+<?rfc tocdepth="4"?>
+<!-- the number of levels of subsections in ToC. default: 3 -->
+<!-- control references -->
+<?rfc symrefs="yes"?>
+<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
+<?rfc sortrefs="yes" ?>
+<!-- sort the reference entries alphabetically -->
+<!-- control vertical white space 
+    (using these PIs as follows is recommended by the RFC Editor) -->
+<?rfc compact="yes" ?>
+<!-- do not start each main section on a new page -->
+<?rfc subcompact="no" ?>
+<!-- keep one blank line between list items -->
+<!-- end of list of popular I-D processing instructions -->
+<rfc category="info" docName="draft-ietf-xml2rfc-template-06" ipr="trust200902">
+ <!-- category values: std, bcp, info, exp, and historic
+    ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902,
+       or pre5378Trust200902
+    you can add the attributes updates="NNNN" and obsoletes="NNNN" 
+    they will automatically be output with "(if approved)" -->
+
+ <!-- ***** FRONT MATTER ***** -->
+
+ <front>
+   <!-- The abbreviated title is used in the page header - it is only necessary if the 
+        full title is longer than 39 characters -->
+
+   <title abbrev="Abbreviated Title">Put Your Internet Draft Title
+   Here</title>
+
+   <!-- add 'role="editor"' below for the editors if appropriate -->
+
+   <!-- Another author who claims to be an editor -->
+
+   <author fullname="Elwyn Davies" initials="E.B." role="editor"
+           surname="Davies">
+     <organization>Folly Consulting</organization>
+
+     <address>
+       <postal>
+         <street></street>
+
+         <!-- Reorder these if your country does things differently -->
+
+         <city>Soham</city>
+
+         <region></region>
+
+         <code></code>
+
+         <country>UK</country>
+       </postal>
+
+       <phone>+44 7889 488 335</phone>
+
+       <email>[email protected]</email>
+
+       <!-- uri and facsimile elements may also be added -->
+     </address>
+   </author>
+
+   <date year="2010" />
+
+   <!-- If the month and year are both specified and are the current ones, xml2rfc will fill 
+        in the current day for you. If only the current year is specified, xml2rfc will fill 
+	 in the current day and month for you. If the year is not the current one, it is 
+	 necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the 
+	 purpose of calculating the expiry date).  With drafts it is normally sufficient to 
+	 specify just the year. -->
+
+   <!-- Meta-data Declarations -->
+
+   <area>General</area>
+
+   <workgroup>Internet Engineering Task Force</workgroup>
+
+   <!-- WG name at the upperleft corner of the doc,
+        IETF is fine for individual submissions.  
+	 If this element is not present, the default is "Network Working Group",
+        which is used by the RFC Editor as a nod to the history of the IETF. -->
+
+   <keyword>template</keyword>
+
+   <!-- Keywords will be incorporated into HTML output
+        files in a meta tag but they have no effect on text or nroff
+        output. If you submit your draft to the RFC Editor, the
+        keywords will be used for the search engine. -->
+
+   <abstract>
+     <t>Insert an abstract: MANDATORY. This template is for creating an
+     Internet Draft.</t>
+   </abstract>
+ </front>
+
+ <middle>
+   <section title="Introduction">
+     <t>The original specification of xml2rfc format is in <xref
+     target="RFC2629">RFC&nbsp;2629</xref>.</t>
+
+     <section title="Requirements Language">
+       <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+       "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+       document are to be interpreted as described in <xref
+       target="RFC2119">RFC 2119</xref>.</t>
+     </section>
+   </section>
+
+   <section anchor="simple_list" title="Simple List">
+     <t>List styles: 'empty', 'symbols', 'letters', 'numbers', 'hanging',
+     'format'.</t>
+
+     <t><list style="symbols">
+         <t>First bullet</t>
+
+         <t>Second bullet</t>
+       </list> You can write text here as well.</t>
+   </section>
+
+   <section title="Figures">
+     <t>Figures should not exceed 69 characters wide to allow for the indent
+     of sections.</t>
+
+     <figure align="center" anchor="xml_happy">
+       <preamble>Preamble text - can be omitted or empty.</preamble>
+
+       <artwork align="left"><![CDATA[
++-----------------------+
+| Use XML, be Happy :-) |
+|_______________________|
+           ]]></artwork>
+
+       <postamble>Cross-references allowed in pre- and postamble. <xref
+       target="min_ref" />.</postamble>
+     </figure>
+
+     <t>The CDATA means you don't need to escape meta-characters (especially
+     &lt;&nbsp;(&amp;lt;) and &amp;&nbsp;(&amp;amp;)) but is not essential.
+     Figures may also have a title attribute but it won't be displayed unless
+     there is also an anchor. White space, both horizontal and vertical, is
+     significant in figures even if you don't use CDATA.</t>
+   </section>
+
+   <!-- This PI places the pagebreak correctly (before the section title) in the text output. -->
+
+   <?rfc needLines="8" ?>
+
+   <section title="Subsections and Tables">
+     <section title="A Subsection">
+       <t>By default 3 levels of nesting show in table of contents but that
+       can be adjusted with the value of the "tocdepth" processing
+       instruction.</t>
+     </section>
+
+     <section title="Tables">
+       <t>.. are very similar to figures:</t>
+
+       <texttable anchor="table_example" title="A Very Simple Table">
+         <preamble>Tables use ttcol to define column headers and widths.
+         Every cell then has a "c" element for its content.</preamble>
+
+         <ttcol align="center">ttcol #1</ttcol>
+
+         <ttcol align="center">ttcol #2</ttcol>
+
+         <c>c #1</c>
+
+         <c>c #2</c>
+
+         <c>c #3</c>
+
+         <c>c #4</c>
+
+         <c>c #5</c>
+
+         <c>c #6</c>
+
+         <postamble>which is a very simple example.</postamble>
+       </texttable>
+     </section>
+   </section>
+
+   <section anchor="nested_lists" title="More about Lists">
+     <t>Lists with 'hanging labels': the list item is indented the amount of
+     the hangIndent: <list hangIndent="8" style="hanging">
+         <t hangText="short">With a label shorter than the hangIndent.</t>
+
+         <t hangText="fantastically long label">With a label longer than the
+         hangIndent.</t>
+
+         <t hangText="vspace_trick"><vspace blankLines="0" />Forces the new
+         item to start on a new line.</t>
+       </list></t>
+
+     <!-- It would be nice to see the next piece (12 lines) all on one page. -->
+
+     <?rfc needLines="12" ?>
+
+     <t>Simulating more than one paragraph in a list item using
+     &lt;vspace&gt;: <list style="letters">
+         <t>First, a short item.</t>
+
+         <t>Second, a longer list item.<vspace blankLines="1" /> And
+         something that looks like a separate pararaph..</t>
+       </list></t>
+
+     <t>Simple indented paragraph using the "empty" style: <list
+         hangIndent="10" style="empty">
+         <t>The quick, brown fox jumped over the lazy dog and lived to fool
+         many another hunter in the great wood in the west.</t>
+       </list></t>
+
+     <section title="Numbering Lists across Lists and Sections">
+       <t>Numbering items continuously although they are in separate
+       &lt;list&gt; elements, maybe in separate sections using the "format"
+       style and a "counter" variable.</t>
+
+       <t>First list: <list counter="reqs" hangIndent="4" style="format R%d">
+           <t>#1</t>
+
+           <t>#2</t>
+
+           <t>#3</t>
+         </list> Specify the indent explicitly so that all the items line up
+       nicely.</t>
+
+       <t>Second list: <list counter="reqs" hangIndent="4" style="format R%d">
+           <t>#4</t>
+
+           <t>#5</t>
+
+           <t>#6</t>
+         </list></t>
+     </section>
+
+     <section title="Where the List Numbering Continues">
+       <t>List continues here.</t>
+
+       <t>Third list: <list counter="reqs" hangIndent="4" style="format R%d">
+           <t>#7</t>
+
+           <t>#8</t>
+
+           <t>#9</t>
+
+           <t>#10</t>
+         </list> The end of the list.</t>
+     </section>
+   </section>
+
+   <section anchor="codeExample"
+            title="Example of Code or MIB Module To Be Extracted">
+     <figure>
+       <preamble>The &lt;artwork&gt; element has a number of extra attributes
+       that can be used to substitute a more aesthetically pleasing rendition
+       into HTML output while continuing to use the ASCII art version in the
+       text and nroff outputs (see the xml2rfc README for details). It also
+       has a "type" attribute. This is currently ignored except in the case
+       'type="abnf"'. In this case the "artwork" is expected to contain a
+       piece of valid Augmented Backus-Naur Format (ABNF) grammar. This will
+       be syntax checked by xml2rfc and any errors will cause a fatal error
+       if the "strict" processing instruction is set to "yes". The ABNF will
+       also be colorized in HTML output to highlight the syntactic
+       components. Checking of additional "types" may be provided in future
+       versions of xml2rfc.</preamble>
+
+       <artwork><![CDATA[
+
+/**** an example C program */
+
+#include <stdio.h>
+
+void
+main(int argc, char *argv[])
+{
+   int i;
+
+   printf("program arguments are:\n");
+   for (i = 0; i < argc; i++) {
+       printf("%d: \"%s\"\n", i, argv[i]);
+   }
+
+   exit(0);
+} /* main */
+
+/* end of file */
+
+           ]]></artwork>
+     </figure>
+   </section>
+
+   <section anchor="Acknowledgements" title="Acknowledgements">
+     <t>This template was derived from an initial version written by Pekka
+     Savola and contributed by him to the xml2rfc project.</t>
+
+     <t>This document is part of a plan to make xml2rfc indispensable <xref
+     target="DOMINATION"></xref>.</t>
+   </section>
+
+   <!-- Possibly a 'Contributors' section ... -->
+
+   <section anchor="IANA" title="IANA Considerations">
+     <t>This memo includes no request to IANA.</t>
+
+     <t>All drafts are required to have an IANA considerations section (see
+     <xref target="RFC5226">Guidelines for Writing an IANA Considerations Section in RFCs</xref> for a guide). If the draft does not require IANA to do
+     anything, the section contains an explicit statement that this is the
+     case (as above). If there are no requirements for IANA, the section will
+     be removed during conversion into an RFC by the RFC Editor.</t>
+   </section>
+
+   <section anchor="Security" title="Security Considerations">
+     <t>All drafts are required to have a security considerations section.
+     See <xref target="RFC3552">RFC 3552</xref> for a guide.</t>
+   </section>
+ </middle>
+
+ <!--  *****BACK MATTER ***** -->
+
+ <back>
+   <!-- References split into informative and normative -->
+
+   <!-- There are 2 ways to insert reference entries from the citation libraries:
+    1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
+    2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
+       (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
+
+    Both are cited textually in the same manner: by using xref elements.
+    If you use the PI option, xml2rfc will, by default, try to find included files in the same
+    directory as the including file. You can also define the XML_LIBRARY environment variable
+    with a value containing a set of directories to search.  These can be either in the local
+    filing system or remote ones accessed by http (http://domain/dir/... ).-->
+
+   <references title="Normative References">
+     <!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
+     &RFC2119;
+
+     <reference anchor="min_ref">
+       <!-- the following is the minimum to make xml2rfc happy -->
+
+       <front>
+         <title>Minimal Reference</title>
+
+         <author initials="authInitials" surname="authSurName">
+           <organization></organization>
+         </author>
+
+         <date year="2006" />
+       </front>
+     </reference>
+   </references>
+
+   <references title="Informative References">
+     <!-- Here we use entities that we defined at the beginning. -->
+
+     &RFC2629;
+
+     &RFC3552;
+
+     &RFC5226;
+
+     <!-- A reference written by by an organization not a person. -->
+
+     <reference anchor="DOMINATION"
+                target="http://www.example.com/dominator.html">
+       <front>
+         <title>Ultimate Plan for Taking Over the World</title>
+
+         <author>
+           <organization>Mad Dominators, Inc.</organization>
+         </author>
+
+         <date year="1984" />
+       </front>
+     </reference>
+   </references>
+
+   <section anchor="app-additional" title="Additional Stuff">
+     <t>This becomes an Appendix.</t>
+   </section>
+
+   <!-- Change Log
+
+v00 2006-03-15  EBD   Initial version
+
+v01 2006-04-03  EBD   Moved PI location back to position 1 -
+                     v3.1 of XMLmind is better with them at this location.
+v02 2007-03-07  AH    removed extraneous nested_list attribute,
+                     other minor corrections
+v03 2007-03-09  EBD   Added comments on null IANA sections and fixed heading capitalization.
+                     Modified comments around figure to reflect non-implementation of
+                     figure indent control.  Put in reference using anchor="DOMINATION".
+                     Fixed up the date specification comments to reflect current truth.
+v04 2007-03-09 AH     Major changes: shortened discussion of PIs,
+                     added discussion of rfc include.
+v05 2007-03-10 EBD    Added preamble to C program example to tell about ABNF and alternative 
+                     images. Removed meta-characters from comments (causes problems).
+
+v06 2010-04-01 TT     Changed ipr attribute values to latest ones. Changed date to
+                     year only, to be consistent with the comments. Updated the 
+                     IANA guidelines reference from the I-D to the finished RFC.  -->
+ </back>
+</rfc>

rfcs/src/draft-wibrown-ldapssotoken-00.xml

@@ -0,0 +1,441 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
+
+<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
+<!ENTITY RFC2222 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2222.xml">
+<!ENTITY RFC4511 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4511.xml">
+]>
+
+<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
+
+<?rfc strict="yes" ?>
+<?rfc toc="yes"?>
+<?rfc tocdepth="4"?>
+<?rfc symrefs="yes"?>
+<?rfc sortrefs="yes" ?>
+<?rfc compact="yes" ?>
+<?rfc subcompact="no" ?>
+<rfc category="std" docName="draft-wibrown-ldapssotoken-01" ipr="trust200902">
+
+<front>
+
+    <title abbrev="LDAP SSO Token">Draft LDAP Single Sign On Token Processing</title>
+
+
+   <author fullname="William Brown" initials="W.B." surname="Brown">
+     <organization>Red Hat Asia-Pacific Pty Ltd</organization>
+
+     <address>
+       <postal>
+         <street>Level 1, 193 North Quay</street>
+         <city>Brisbane</city>
+         <code>4000</code>
+         <region>Queensland</region>
+         <country>AU</country>
+       </postal>
+
+       <phone></phone>
+
+       <email>[email protected]</email>
+
+       <!-- uri and facsimile elements may also be added -->
+     </address>
+   </author>
+
+   <author fullname="Simo Sorce" initials="S.S." surname="Sorce" role="editor">
+     <organization>Red Hat, Inc.</organization>
+
+     <address>
+       <postal>
+         <street></street>
+
+         <city></city>
+
+         <region></region>
+
+         <code></code>
+
+         <country></country>
+       </postal>
+
+       <phone></phone>
+
+       <email>[email protected]</email>
+
+       <!-- uri and facsimile elements may also be added -->
+     </address>
+   </author>
+
+   <author fullname="Kieran Andrews" initials="K.A." surname="Andrews" role="editor">
+     <organization>The University of Adelaide</organization>
+
+     <address>
+       <postal>
+         <street></street>
+
+         <city>Adelaide</city>
+
+         <region>South Australia</region>
+
+         <code>5005</code>
+
+         <country>AU</country>
+       </postal>
+
+       <phone></phone>
+
+       <email>[email protected]</email>
+
+       <!-- uri and facsimile elements may also be added -->
+     </address>
+   </author>
+
+   <date year="2016"></date>
+
+
+    <area>General</area>
+
+   <workgroup>Internet Engineering Task Force</workgroup>
+
+    <!-- I am not sure of the appropriate keywords here -->
+   <keyword>draft-wibrown-ldapssotoken</keyword>
+
+   <abstract>
+     <t>LDAP Single Sign On Token is a SASL (Simple Authentication and Security Layer
+        <xref target="RFC2222">RFC 2222</xref>) mechanism to allow single sign-on to an LDAP
+        Directory Server environment. Tokens generated by the LDAP server can be transmitted through other
+        protocols and channels, allowing a broad range of clients and middleware to take advantage
+        of single sign-on in environments where Kerberos v5 or other Single Sign On mechanisms may not be avaliable.</t>
+   </abstract>
+
+</front>
+
+
+<middle>
+
+    <section title="Introduction">
+        <t>The need for new, simple single sign-on capable systems has arisen
+        with the development of new technologies and systems. For these systems
+        we should be able to provide a simple, localised and complete single
+        sign-on service. This does not aim to replace Kerberos V5. It is designed for when Kerberos
+        is too invasive for installation in an environment.
+        </t>
+
+
+        <t>Tokens generated by this system should be able to be transmitted over
+        different protocols allowing middleware to relay tokens to clients.
+        Clients can then contact the middleware natively and the middleware can
+        negotiate the client authentication with the LDAP server.</t>
+
+        <!-- Use terms to describe instead -->
+        <t>This implementation will provide an LDAP extended operation to create
+        tokens which a client may cache, or relay to a further client. The token
+        can then be sent in a SASL bind request to the LDAP server. The token
+        remains valid over many binds. Finally, Tokens
+        for a client are always able to be revoked at the LDAP Server using an
+        LDAP extended operation, allowing global
+        logout by the user or administrator.</t>
+
+
+    </section>
+
+    <section title="Requirements Language">
+        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+        "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+        document are to be interpreted as described in <xref
+        target="RFC2119">RFC 2119</xref>.</t>
+    </section>
+
+    <section title="Format">
+        <t>This document has two components. A SASL Mechanism, and LDAP extended operations.</t>
+        <t>There is no strict requirement for the two to coexist: The LDAP Operation
+        is an implementation of the service providing tokens, and the SASL Mechanism to authenticate them.</t>
+        <t>In theory, an alternate protocol and database could generate and authenticate these tokens.</t>
+    </section>
+
+    <section title="SASL Component">
+        <section title="Token formats">
+            <t>Token formats are server implementation specific: As they
+            are the only entity that will decrypt and consume them, they have
+            the option to provide these in any format they wish. </t>
+            <t>This means the client will only see an opaque data structure, and will only
+            need to transmit this opaque structure as part of the authentication request.</t>
+
+            <t>For the token system to operate correctly the server MUST
+            generate tokens that contain at least these three values:</t>
+            <t>
+                <list style="symbols">
+                    <t>Date Time Issued</t>
+                    <t>Date Time Until</t>
+                    <t>User Unique Id</t>
+                </list>
+            </t>
+            <t>As the client does not ever see the contents the User Unique Id can be
+            anything within the database that uniquely identifies the user
+            that is the holder of the token.</t>
+            <t>The User Unique Id MUST be an UTF8 String.</t>
+            <t>The token format MUST be encrypted. The token format can be
+            decrypted with either a asymmetric or symmetric keying system. </t>
+            <t>The token format MUST have a form of data authentication.
+            This can be through authenticated encryption, or validation of a hash.</t>
+            <t>The Date Time Issued MUST be a complete timestamp in UTC, to
+            prevent issues with changing timezones.</t>
+            <t>Without these guarantees, the token system is not secure,
+            and is vulnerable to credential forgery attacks.</t>
+
+            <t>Here is an EXAMPLE ASN.1 format that would be encrypted and
+            sent to the client:</t>
+            <figure align="left" anchor="asn_token_example">
+                <artwork align="left"><![CDATA[
+LDAPSSOToken ::= SEQUENCE {
+    DateTimeIssued GeneralizedTime,
+    DateTimeUntil  GeneralizedTime,
+    UserUniqueId   UTF8String }
+                ]]></artwork>
+            </figure>
+            <t>This would be encrypted with AES-GCM and transmitted to the
+            client.</t>
+
+            <!-- make this an xref -->
+            <t>Another example would be to use a fernet token
+            <xref target="FERNETSPEC">Fernet Specification</xref>.</t>
+
+            <figure align="left" anchor="fernet_token_example">
+                <artwork align="left"><![CDATA[
+Version || Timestamp || IV || Ciphertext || HMAC
+                ]]></artwork>
+            </figure>
+
+            <t>Timestamp can be considered to be the DateTimeIssued as:</t>
+
+            <t>"This field is a 64-bit unsigned big-endian integer. It records
+            the number of seconds elapsed between January 1, 1970 UTC and the
+            time the token was created."</t>
+
+            <t>We can then create a Cipher text containing:</t>
+
+            <figure align="left" anchor="fernet_tokendata_example">
+                <artwork align="left"><![CDATA[
+Date Time Until || User Unique Id
+                ]]></artwork>
+            </figure>
+
+            <t>The Date Time Until is a 64-bit unsigned big-endian integer. It is,
+            like Date Time Issued, the number of seconds since January 1, 1970
+            UTC, and the token creation time added to the number of seconds of
+            the requested life time. </t>
+
+            <t>This example format satisfies all of our data requirements for the sso token
+            system.</t>
+
+        </section>
+
+        <section title="SASL Client">
+            <t>The client will request a token from the authentication server.
+            The acquisition method for the token is discussed in section XXX.</t>
+            <t>For authentication, the client MUST send the token as it was received.
+            IE changes to formatting are not permitted.</t>
+            <t>The client MAY transform the token if acting in a proxy fashion.
+            However this transformation must be deterministic and able to be
+            reversed to satisfy the previous requirement.</t>
+            <figure align="left" anchor="server_transform_example">
+                <artwork align="left"><![CDATA[
++-------+              +-------------+              +--------+
+| LDAP  |              | HTTP server |              | Client |
+|       |              |             | <- Login --  |        |
+|       | <-- Bind --  |             |              |        |
+|       | - Success -> |             |              |        |
+|       | <- Req Token |             |              |        |
+|       | -- Token --> |             |              |        |
+|       | <- Unbind -  |             |              |        |
+|       | - Success -> |             |              |        |
+|       |              | Html Escape |              |        |
+|       |              |             | -- Safe -->  |        |
+|       |              |             |     Token    |        |
+|       |              |             |              | Store  |
+|       |              |             | < Request +- |        |
+|       |              | Reverse esc |    Token     |        |
+|       | < Token Bind |             |              |        |
+|       | - Success -> |             |              |        |
+|       | <- Operation |             |              |        |
+|       | <- Unbind -  |             |              |        |
+|       | - Success -> |             |              |        |
+|       |              |             | - Response > |        |
++-------+              +-------------+              +--------+
+                ]]></artwork>
+            </figure>
+            <t>This example shows how a client is issued with a token when
+            communicating with a web server via the HTTP intermediate. The Client
+            does not need to be aware of the SASL/LDAP system in the background,
+            or the token's formatting rules. Provided the HTTP server in
+            proxy, if required to transform the token, is able to undo the
+            transformations, this is a valid scenario. For example, HTML escaping
+            a base64 token.</t>
+        </section>
+
+        <section title="SASL Authentication">
+            <t>The client issues a SASL bind request with the mechanism name
+            LDAPSSOTOKEN.</t>
+            <t>The client provides the encrypted token that was provided in
+            the LDAPSSOTokenResponse Token Field.</t>
+            <t>The token is decrypted and authenticated based on the token
+            format selected by the server. The server MAY attempt multiple
+            token keys and or formats to find the correct issuing format and
+            key.</t>
+            <t>If the token decryption fails, the attempt with this key and
+            format MUST be considered to fail.</t>
+            <t>If the values have been tampered with, IE hash authentication fails, the attempt with the key
+            and format MUST be considered to fail. </t>
+            <t>The token decryption MUST return a valid DateTimeUntil,
+            DateTimeIssued and User Unique Id. If this is not returned, the decryption
+            MUST be considered to fail.</t>
+            <t>If all token formats and keys fail to decrypt, this MUST cause an
+            invalidCredentials error.</t>
+            <t>The DateTimeUntil field is checked against the servers current
+            time. If the current time exceeds or is equal to DateTimeUntil,
+            invalidCredentials MUST be returned.</t>
+            <t>The User Unique Id is validated to exist on the server. If the User Unique Id
+            does not exist, invalidCredentials MUST be returned.</t>
+            <t>The DateTimeIssued field is validated against the User Unique Id object's
+            attribute or related attribute that contains "Valid Not Before". If the value of
+            "Valid Not Before" exceeds or is equal to DateTimeIssued,
+            invalidCredentials MUST be returned.</t>
+            <t>Only if all of these steps have succeeded, then the authentication is considered successful. </t>
+        </section>
+
+        <section title="Valid Not Before Attribute">
+            <t>The management and details of the "Valid Not Before" attribute
+            are left to the implementation to decide how to implement and
+            manage. The implementation should consider how an administrator
+            or responsible party could revoke tokens for users other than their
+            own. The Valid Not Before SHOULD be replicated between LDAP servers
+            to allow correct revocation across many LDAP servers. For example,
+            Valid Not Before MAY be an attribute on the User Unique Id object, or MAY be on another
+            object with a unique relation to the User Unique Id.</t>
+        </section>
+    </section>
+
+    <section title="LDAP Component">
+
+        <section title="Token Generation">
+            <t>An ldap extended operation is issued as per Section 4.12 of
+            <xref target="RFC4511">RFC 4511</xref>.</t>
+            <t>The LDAP OID to be used for the LDAPSSOTokenRequest is 2.16.840.1.113730.3.5.14.</t>
+            <t>The LDAP OID to be used for the LDAPSSOTokenResponse is 2.16.840.1.113730.3.5.15.</t>
+            <t>A User Unique Id is selected. This may be the Bind DN, UUID or other
+            utf8 identifier that uniquely determines an object.</t>
+            <t>The extended operation must fail if the LDAP connection security stregth factors is 0.</t>
+            <t>Tokens must not be generated for Anonymous binds. This means,
+            tokens may only be generated for connections with a valid bind dn set.</t>
+            <t>Token requests MUST contain a requested lifetime in seconds.
+            The server MAY choose to ignore this lifetime and set it's own
+            value.</t>
+            <t>A token request of a negative or zero value SHOULD default to
+            a server definied minimum lifetime.</t>
+            <t>The token is created as per an example token format in 4.1. This value
+            is then encrypted with an encryption algorithm of the servers
+            choosing. The client does not need to be aware of the encryption
+            algorithm.</t>
+            <t>The DateTimeIssued, DateTimeUntil and User Unique Id are collected in
+            the format required by the token format we are choosing to use in
+            the server. The token is then generated by the chosen
+            algorithm.</t>
+            <t>The encrypted token is sent to the client in the
+            LDAPSSOTokenResponse structure, along with the servers chosen valid
+            life time as a guide for the client to approximate the expiry of the
+            token. This valid life time value is in seconds.</t>
+            <t>If the token cannot be generated due to a server error, LDAP_OPERATION_ERROR MUST be returned.</t>
+
+            <section title="Token Generation Extended Operation">
+                <figure align="left" anchor="token_generation_ext_op">
+                    <artwork align="left"><![CDATA[
+LDAPSSOTokenRequest ::= SEQUENCE {
+    ValidLifeTime INTEGER }
+
+LDAPSSOTokenResponse ::= SEQUENCE {
+    ValidLifeTime INTEGER,
+    EncryptedToken         OCTET STRING
+}
+                    ]]></artwork>
+                </figure>
+            </section>
+        </section>
+
+        <section title="Token Revocation">
+            <t>An ldap extended operation is issued as per Section 4.12
+            <xref target="RFC4511">RFC 4511</xref>. </t>
+            <t>The LDAP OID to be used for LDAPSSOTOKENRevokeRequest is 2.16.840.1.113730.3.5.16.</t>
+            <t>The extended operation MUST fail if the connection is
+            anonymous.</t>
+            <t>The extended operation MUST fail if the LDAP connection security strength factors is 0.</t>
+            <t>The extended operation MUST only act upon the "Valid Not Before"
+            attribute related to the bind DN of the connection.</t>
+            <t>Upon recieving the extended operation to revoke tokens, the
+            directory server MUST set the current BindDN's related "Valid Not Before" attribute timestamp to the current datetime. This will
+            have the effect, that all previously issued tokens are invalidated.</t>
+            <t>This revocation option must work regardless of directory server
+            access controls on the attribute containing "Valid Not Before".</t>
+            <section title="Token Revocation Extended Operation">
+                <t>The extended operation requestValue MUST not be set for
+                LDAP SSO Token revocation.</t>
+                <t>The extended operation does not provide a response OID. The result is set in the LDAPResult.</t>
+            </section>
+        </section>
+
+        <section title="Binding">
+            <t>The SASL bind attempt MUST fail if the LDAP connection security strength factors is 0.</t>
+            <t>The SASL Authentication is attempted as per Section 4.3. If this does not succeed, the bind attempt MUST fail.</t>
+            <t>The LDAP Object is retrived from the User Unique Id, and a Bind DN Determined. If no Bind DN can be determined, the bind attempt MUST fail.</t>
+            <t>The current Bind DN MUST be set to the Bind DN of the LDAP object that is determined, and the result ldap success is returned to the LDAP client.</t>
+        </section>
+
+    </section>
+
+    <section title="Security Considerations">
+        <t>Due to the design of this token, it is possible to use it in a replay
+        attack. Notable threats are storage on the client and man in the middle attacks.
+        To minimise the man in the middle attack thread, LDAP security strength factor of greater than 0 is a requirement.
+        Client security is not covered by this document.</t>
+    </section>
+
+    <section title="Requirements">
+        <t>The SASL mechanism, LDAPSSOTOKEN, MUST be registered to IANA as per
+        <xref target="RFC2222">RFC 2222</xref> Section 6.4</t>
+    </section>
+
+
+</middle>
+
+<back>
+
+   <references title="Normative References">
+     &RFC2119;
+
+   </references>
+
+   <references title="Informative References">
+     &RFC2222;
+
+     &RFC4511;
+    <!-- Add the fernet reference  -->
+
+    <reference anchor="FERNETSPEC"
+    target="https://github.com/fernet/spec/blob/master/Spec.md">
+        <front>
+            <title>Fernet Specification</title>
+
+            <author fullname="Tom Maher" initials="T.M." surname="Maher">
+            </author>
+
+            <author fullname="Keith Rarick" initials="K.R." surname="Rarick">
+            </author>
+
+            <date year="2013" />
+        </front>
+    </reference>
+
+    </references>
+
+</back>
+
+</rfc>