saml-dev message

Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in SAML?

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Thomas Hardjono'" <hardjono@mit.edu>, "'Krishna Ganugapati'" <kganugapati@gmail.com>, <saml-dev@lists.oasis-open.org>
Date: Mon, 10 May 2010 11:15:10 -0400

> TH: Yes this looks like a direct mapping of cross-realm TGTs concept with
> the IdP1/IdP2 scenario.  I think the relationship between an IdP and an SP
> is far more "richer" in contextual information compared to the KDC-to-KDC
> trust as defined in RFC4120. As Scott mentions, this also looks like
> proxying, which means it could make use of the S4U extensions of Kerberos.

Proxying in Kerberos is very different from IdP proxying in SAML. We're not
talking about impersonation of users, but relaying requests between IdPs to
isolate trust relationships.

-- Scott

Follow-Ups:
- RE: [saml-dev] SAML newbie question - do cross IdP trusts exist inSAML?
  - From: Thomas Hardjono <hardjono@MIT.EDU>

References:
- SAML newbie question - do cross IdP trusts exist in SAML?
  - From: Krishna Ganugapati <kganugapati@gmail.com>
- RE: [saml-dev] SAML newbie question - do cross IdP trusts exist inSAML?
  - From: Thomas Hardjono <hardjono@MIT.EDU>