delegation/intermediaries solution bullets

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

In lieu of an actual writeup, let me toss out my (and Scott's) intentions
for solution proposals for the delegation/intermediaries item.

One approach is to profile the simple passing along of a browser-profile
SSO assertion by an intermediate to a backend.  In many cases this will be
sufficient based on the trust relationship between the two.  The main
change required to make this work well is a change that I think has been
suggested for other reasons:  to make the interpretation of freshness of
the SSO assertion be based not on validity period (ie, NotBefore and
NotOnOrAfter conditions) but on IssueInstant and the relying party's
acceptable time limits after that.  There is probably the need to
additionally profile the use of the passed-along assertion based on the
nature of the communication from the intermediate to the backend; one
flavor for the case where the backend is itself protected by the SAML
browser profile; another for SOAP, which presumably means using the WSS
SAML token profile (though some might argue against adding a dependency on
WSS).

The other approach is to provide the ability for the intermediate to
obtain a distinct delegation token, specifically a Kerberos service
ticket, for the case when the intermediate-backend communication is done
via a kerberized application protocol.  The proposal will suggest
extending the Authentication Authority and SAML protocol to support
requesting and returning this token in addition to an authentication
statement.  This is intended to be consistent with the Kerberos-based
solution proposal from John Hughes.  It should be easily extensible to
support other kinds of delegation tokens.

 - RL "Bob"