RE: Kerberos & front-channel bindings (was Metadata IOP & the front-channel bindings)

["Scott Cantor" <cantor.2@osu.edu>]

Josh Howlett wrote on 2009-10-06:
> So, if I understand you correctly, front-channel security is
> considered entirely orthogonal to SAML message security and the IOP is
> intended for the latter?

Yes. Metadata is usually about how entities deal with each other, and
doesn't include the client. In general, anything that doesn't consume
metadata is quite obviously not obligated to do anything with this profile
(e.g. a browser).
 
> The reason I ask is because I have recently been trying to understand
> the feasibility of using the Kerberos protocol within a SAML system
> (as opposed to the more typical use of X.509 credentials or public key
> crypto in general).

That would generally be covered by the concepts, but the profile isn't
written to support that particular use case at the moment.

> I have tentatively arrived at the conclusion that there is nothing in
> SAML2Core that would prevent the use of Kerberos in those places where
> XML-SIG and XML-ENC are invoked, assuming the presence of:
>      (1) a mechanism that allows the Requesting, Responding or
> Asserting parties to provide a Kerberos service ticket in the
> <KeyInfo> elements (which contains the session key used in the crypto
> operations)
>      (2) a mechanism that allows these parties to determine if a
> Kerberos principal is associated with a particular SAML entity.

Nothing I can see.

> I would be very interested in any opinions on this analysis and approach.

It makes sense to me in general, but I assume you have some way to use
Kerberos to "sign" the response or assertion in a SSO flow?

-- Scott