[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Kerberos use cases
As per the teleconf last night let me articulate the Kerberos use cases on the table; 1. Bridge Server: This is a middleware translation gateway, where on one side will be a SAML based environment and the other a Kerberos based RPC application (e.g. MS RPC/DCOM or DCE RPC). 2. Kerberos Clients/Browsers: the local environment consist of workstations that are Kerberos enabled with the user using Kerberos to authenticate to the local domain. The user then wishes to access a remote domain using a browser without having to be re-authenticated. The SAML 2.0 Browser profiles will be used to provide the SAML assertion to the remote domain. In this Kerberos means either "pure" Kerberos, Windows 2000/2003 or DCE. In many respects this use case - when you have a PC which is within a windows 2000/2003 domain - could be widely used within a intranet/extranet environment. There are actually two options for this use case: 2(a) Using the Credential Conversion Service an architectural enhancement is to provide a separate service that permits Kerberos tickets, Windows PACs or DCE PACS to be normatively translated into a SAML assertion. This does not mean the PAC information would be carried within the SAML assertion, but rather translation would take place. For example group membership/privilege from a PAC would cause a suitable SAML attribute statement to be generated 2(b) Not using the Credential Conversion Service This is where no Credential Conversion Service would be provided and its to the implementer how they would architect their solution. However i'ts still recommended that a normative approach is adopted for PAC translation I hope this makes the use cases clearer. john
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]