[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] AuthenticationMethod / NameIdentifier andKerberos authentication
Hi Tim, From what you're saying, I gather the following things about Kerberos as an authentication method: 1) The Kerberos auth method itself is governed by RFC 1510. 2) Pre-authentication may take place. 3) Pre-authentication methods may be specified independently of RFC 1510. So, it seems to me that 2) and 3) are actually contextual information further describing the Kerberos authentication (ie. that pre-auth took place with some authentication method). Is that a correct interpretation? Cheers, - JohnK ext Tim Alsop wrote: > Scott, > > I noticed you had an AI from last F2F regarding representing Kerberos > principals in an assertion. > > So far we have been assuming that the AuthenticationMethod should be : > > *URI:* urn:ietf:rfc:1510 > > It appears to me that we could add the pre-auth data type onto this to > become : > > *URI:* urn:ietf:rfc:1510:padata-type:<n> > <n> is the preauthentication datatype as specified in the IETF draft > or RFC specific to the authentication type > > However, if we have multiple NameIdentifiers, maybe we want to > represent the Format for each principal that was authenticated to give > uniqueness - see below : > > *URI: *urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos:padata-type:<n> > <n> is the preauthentication datatype as specified in the IETF draft > or RFC specific to the authentication type > > What do you think ? > > Once we are in agreement as to what is needed I can write some > normative text for inclusion on the specs. > > We also need to consider adding text to the authnrequest description > so that a Kerberos initial ticket (tgt) lifetime can be carried over > into the lifetime of the assertion. > > Thanks, Tim. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]