[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist inSAML?
Hi Krishna, Comments in-line. > -----Original Message----- > From: Scott Cantor [mailto:cantor.2@osu.edu] > Sent: Saturday, May 08, 2010 3:15 PM > To: 'Krishna Ganugapati'; saml-dev@lists.oasis-open.org > Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in > SAML? > > > Hello I'm generally familiar with Kerberos realms. Here is my questions. > > What is the equivalent of cross realm trusts in the SAML world - is there > > the equivalent of cross IdP trusts > > Trust in SAML is out of scope and is up to the implementatioons. Most SAML > systems are based around PKI, metadata exchange, or a combination of the two > for trust management, and are inherently cross-domain. It's possible to > implement SAML with symmetric keys and end up with something very like > Kerberos, but that's fairly pointless (why not just use Kerberos?). TH: Currently most of the Kerberos realm-to-realm (KDC-to-KDC) "trust" establishment (read: sharing of symmetric long-term master key) is performed manually or through the use of PKINIT (or Anonymous PKINIT). Note that MSFT Kerberos in Active Directory do things differently for cross-realm trust. It would be interesting if there was some simple SAML profile (?) that would allow a KDC#1 to "discover" the capabilities of another KDC#2 and then establish trust with that KDC#2. Perhaps using the metadata structure in SAML. > > Does this equivalent exist in SAML? All of the examples I see involve a > > user, a single IdP and an SP. > > You're confusing protocols between two parties with trust fabrics that > potentially can encompass hundreds or thousands of parties. And in SAML any > exchanges are potentially cross domain because the IdP is the equivalent of > the KDC. > > > In my SAML scenario, there are two IdPs (IdP1 and IdP2) that trust each > > other. User X is known by IdP1 and SP Z trusts IdP2. IdP1 and IdP2 > trust > > each other. > > That's a proxying scenario. TH: Yes this looks like a direct mapping of cross-realm TGTs concept with the IdP1/IdP2 scenario. I think the relationship between an IdP and an SP is far more "richer" in contextual information compared to the KDC-to-KDC trust as defined in RFC4120. As Scott mentions, this also looks like proxying, which means it could make use of the S4U extensions of Kerberos. /thomas/ > > > a) What is the protocol sequence here? Given that SPs refer users to an > > IdP, it's like a reverse Kerberos referral model. Would SP refer user X > > to IdP2 who in turn refers X to IdP1 which results then in a security > > token from IdP1, followed by a security token from IdP2, followed by > > access to the resource > > Yes. Isn't this just the vanilla use-case scenario for SSO? /thomas/ > > > b) If a) is correct, could someone point me to the drafts that do this? > > It's in core. > > > c) Do existing SAML toolkits do something like this? > > Toolkits are not IdPs and SPs, they're raw material for building one. I > don't know how common formal proxying is in IdPs. > > -- Scott > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]