[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication
Yes, this is correct. The Kerberos protocol defines an extensible way to get a users initial Kerberos ticket (tgt) and preauth is the way that Kerberos can support multiple technologies (e.g. smart cards, token devices, one time password). Each preauth type is defined with a unique number that is (or will be soon) registered with IANA by IETF Kerberos WG. So, in our standards work we need to describe clearly how Kerberos can be represented in a SAML assertion and allow any pre-auth data type to be described, thus allowing a SAML site to make decisions based on the type of authentication used. Previously I had suggested we add something like :pa-data-type:<n> (n = unique number describing the preauth type) to AuthenticationMethod, but I think we decided this was better described in some sort of Context class instead - this is what I was expecting to see in the AuthnContext draft ... I think :-) Tim. -----Original Message----- From: Scott Cantor [mailto:cantor.2@osu.edu] Sent: 26 May 2004 22:21 To: 'John Kemp'; Tim Alsop; p.madsen@entrust.com; security-services@lists.oasis-open.org Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication > The other case, where the actual authenticator is a password, is > represented already with the PasswordProtectedTransport class. > As I mentioned yesterday, I added an ExternalVerification attribute to > the PasswordType element, which can carry the Kerberos URN, specifying > that Kerberos was used as the "pre-authentication" method. Pre-auth isn't meant in that sense, it's how you do the real Kerberos dance to get a TGT, so it really needs to qualify the Kerberos-Protected-Transport case, I think. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]