[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Drafts for review: Kerberos & SAML profiles
Josh Howlett wrote on 2009-08-18: > I think it would be useful to understand whether it is acceptable to > use subject confirmation methods other than those that are mentioned > in the WSS SAML TP spec. I think I'm coming to believe you're right, that there's no precluding of other types. Even if there were, I don't find the current TP to be particularly attractive for newer applications anyway, so I think it's moot. My reading of the IMI spec suggests to me that ultimately it's really unspecified how you map particular WS-Trust requirements for proof keys into specific SAML assertions, so I think that's quite doable using token profiles in that context. > Interestingly, WRT the IMI spec (section 12) defines a set of > identifier-types that are represented through an <Identity> WS- > Addressing <EndpointReference> property. Two of these are Service > Principal Name and User Principal name, and the semantics associated > with those fit the Kerberos use-case. Sort of in reverse, yes, they tell you who you're getting an assertion from or sending it to, but I agree that the structure is applicable. > I've only just skim-read the IMI profile, and so I'm not fully clear > on what these are intended for. Oddly, each representation (DNS name, > SPN, UPN, KeyInfo) has text that also describes how the endpoint can > "prove its right to speak" as the identity. I'm puzzled by this but, > for the Identity representations I care about, this text seems to be a > suggestion rather than a stipulation. The point of it is to inform your dialog with the endpoint. If you're using Kerberos to authenticate to the IdP, it tells you what the SPN of the IdP is so you can request a ticket for it. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]