[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist inSAML?
> -----Original Message----- > From: Scott Cantor [mailto:cantor.2@osu.edu] > Sent: Monday, May 10, 2010 11:15 AM > To: Thomas Hardjono; 'Krishna Ganugapati'; saml-dev@lists.oasis-open.org > Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in > SAML? > > > TH: Yes this looks like a direct mapping of cross-realm TGTs concept with > > the IdP1/IdP2 scenario. I think the relationship between an IdP and an SP > > is far more "richer" in contextual information compared to the KDC-to-KDC > > trust as defined in RFC4120. As Scott mentions, this also looks like > > proxying, which means it could make use of the S4U extensions of Kerberos. > > Proxying in Kerberos is very different from IdP proxying in SAML. We're not > talking about impersonation of users, but relaying requests between IdPs to > isolate trust relationships. Yes, agree. In Kerberos there is the notion of proxy-as-self (impersonation), where I could get another entity to request services on my behalf. I believe this was designed to overcome some delegation-related hurdles. I'm not sure if impersonation would be acceptable for SPs and IdPs (specially for value transactions). /thomas/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]