RE: [saml-dev] SAML newbie question - do cross IdP trusts exist inSAML?

[Thomas Hardjono <hardjono@MIT.EDU>]

Hi Krishna,

Comments in-line.

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Saturday, May 08, 2010 3:15 PM
> To: 'Krishna Ganugapati'; saml-dev@lists.oasis-open.org
> Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in
> SAML?
> 
> > Hello I'm generally familiar with Kerberos realms. Here is my questions.
> > What is the equivalent of cross realm trusts in the SAML world - is there
> > the equivalent of cross IdP trusts
> 
> Trust in SAML is out of scope and is up to the implementatioons. Most SAML
> systems are based around PKI, metadata exchange, or a combination of the two
> for trust management, and are inherently cross-domain. It's possible to
> implement SAML with symmetric keys and end up with something very like
> Kerberos, but that's fairly pointless (why not just use Kerberos?).

TH: Currently most of the Kerberos realm-to-realm (KDC-to-KDC) "trust" establishment (read: sharing of symmetric long-term master key) is performed manually or through the use of PKINIT (or Anonymous PKINIT).  Note that MSFT Kerberos in Active Directory do things differently for cross-realm trust.

It would be interesting if there was some simple SAML profile (?) that would allow a KDC#1 to "discover" the capabilities of another KDC#2 and then establish trust with that KDC#2. Perhaps using the metadata structure in SAML.


> > Does this equivalent exist in SAML? All of the examples I see involve a
> > user, a single IdP and an SP.
> 
> You're confusing protocols between two parties with trust fabrics that
> potentially can encompass hundreds or thousands of parties. And in SAML any
> exchanges are potentially cross domain because the IdP is the equivalent of
> the KDC.
> 
> > In my SAML scenario, there are two IdPs  (IdP1 and IdP2) that trust each
> > other.  User  X is known by IdP1 and  SP  Z trusts IdP2. IdP1 and IdP2
> trust
> > each other.
> 
> That's a proxying scenario.

TH: Yes this looks like a direct mapping of cross-realm TGTs concept with the IdP1/IdP2 scenario.  I think the relationship between an IdP and an SP is far more "richer" in contextual information compared to the KDC-to-KDC trust as defined in RFC4120. As Scott mentions, this also looks like proxying, which means it could make use of the S4U extensions of Kerberos.

/thomas/

> 
> > a) What is the protocol sequence here? Given that SPs refer users to an
> > IdP, it's like a reverse Kerberos referral model.  Would SP refer user X
> > to IdP2 who in turn refers X to IdP1 which results then in a security
> > token from IdP1, followed by a security token from IdP2, followed by
> > access to the resource
> 
> Yes.

Isn't this just the vanilla use-case scenario for SSO?


/thomas/

> 
> > b) If a) is correct, could someone point me to the drafts that do this?
> 
> It's in core.
> 
> > c)  Do  existing SAML toolkits do something like this?
> 
> Toolkits are not IdPs and SPs, they're raw material for building one. I
> don't know how common formal proxying is in IdPs.
> 
> -- Scott
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org