saml-dev message

Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist inSAML?

From: Thomas Hardjono <hardjono@MIT.EDU>
To: "cantor.2@osu.edu" <cantor.2@osu.edu>, "'Krishna Ganugapati'"<kganugapati@gmail.com>, "saml-dev@lists.oasis-open.org"<saml-dev@lists.oasis-open.org>
Date: Mon, 10 May 2010 11:59:48 -0400



> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Monday, May 10, 2010 11:15 AM
> To: Thomas Hardjono; 'Krishna Ganugapati'; saml-dev@lists.oasis-open.org
> Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in
> SAML?
> 
> > TH: Yes this looks like a direct mapping of cross-realm TGTs concept with
> > the IdP1/IdP2 scenario.  I think the relationship between an IdP and an SP
> > is far more "richer" in contextual information compared to the KDC-to-KDC
> > trust as defined in RFC4120. As Scott mentions, this also looks like
> > proxying, which means it could make use of the S4U extensions of Kerberos.
> 
> Proxying in Kerberos is very different from IdP proxying in SAML. We're not
> talking about impersonation of users, but relaying requests between IdPs to
> isolate trust relationships.

Yes, agree. In Kerberos there is the notion of proxy-as-self (impersonation), where I could get another entity to request services on my behalf.  I believe this was designed to overcome some delegation-related hurdles. I'm not sure if impersonation would be acceptable for SPs and IdPs (specially for value transactions).

/thomas/

Follow-Ups:
- RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in SAML?
  - From: "Scott Cantor" <cantor.2@osu.edu>

References:
- SAML newbie question - do cross IdP trusts exist in SAML?
  - From: Krishna Ganugapati <kganugapati@gmail.com>
- RE: [saml-dev] SAML newbie question - do cross IdP trusts exist inSAML?
  - From: Thomas Hardjono <hardjono@MIT.EDU>
- RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in SAML?
  - From: "Scott Cantor" <cantor.2@osu.edu>