RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication

["Tim Alsop" <Tim.Alsop@CyberSafe.Ltd.UK>]

Yes, this is correct. The Kerberos protocol defines an extensible way to
get a users initial Kerberos ticket (tgt) and preauth is the way that
Kerberos can support multiple technologies (e.g. smart cards, token
devices, one time password). Each preauth type is defined with a unique
number that is (or will be soon) registered with IANA by IETF Kerberos
WG. 

So, in our standards work we need to describe clearly how Kerberos can
be represented in a SAML assertion and allow any pre-auth data type to
be described, thus allowing a SAML site to make decisions based on the
type of authentication used. Previously I had suggested we add something
like :pa-data-type:<n> (n = unique number describing the preauth type)
to AuthenticationMethod, but I think we decided this was better
described in some sort of Context class instead - this is what I was
expecting to see in the AuthnContext draft ... I think :-)

Tim.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: 26 May 2004 22:21
To: 'John Kemp'; Tim Alsop; p.madsen@entrust.com;
security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod /
NameIdentifier and Kerberos authentication

> The other case, where the actual authenticator is a password, is
> represented already with the PasswordProtectedTransport class. 
> As I mentioned yesterday, I added an ExternalVerification attribute to
> the PasswordType element, which can carry the Kerberos URN, specifying
> that Kerberos was used as the "pre-authentication" method. 

Pre-auth isn't meant in that sense, it's how you do the real Kerberos
dance
to get a TGT, so it really needs to qualify the
Kerberos-Protected-Transport
case, I think.

-- Scott