OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services-comment] SAML V2.0 Kerberos AttributeProfile Version 1.0

Hi Srini,

These two docs are part of a larger scenario of using Kerberos for Web Browser SSO (which
is a work in progress in the Oasis SSTC). In that profile, the IdP and the SP are both
assumed to be Kerberos service principals (meaning that they can parse and understand
a AP_REQ messages, possibly wrapped in the GSSAPI Token format).
There is no assumption that all the entities are running on the same workstation.
If fact we've worked on the assumption that the solution must work in
the "worst case configuration" where the client, IDP and SP are located
in separate realms (ie. the solution must support Web SSO in the open Internet).

One way that the SAML Attribute Authority (namely the IdP) gets the client's AP_REQ message is when
it asks the client principal to authenticate using HTTP-Negotiate (SPNEGO).
The HTTP-Negotiate triggers the client principal to go and obtain a new service ticket
from the KDC. The client then presents the AP_REQ (containing the new service ticket and authenticator)
to the  SAML Attribute Authority (namely the IdP). Since the IdP is a Kerberos service,
it is able to open-up and consume that AP_REQ message, and verify the authenticator and service-ticket.

Hope this helps.



From: Srinivas Cheruku [srinivas.cheruku@gmail.com]
Sent: Friday, January 29, 2010 4:50 AM
To: security-services-comment@lists.oasis-open.org
Subject: [security-services-comment] SAML V2.0 Kerberos Attribute Profile Version 1.0


I have a comment/query on SAML V2.0 Kerberos Attribute Profile Version 1.0

From 2.7 Examples section:

The SAML requester sends a request containing the user principal and service principal name to the SAML attribute authority asking for Kerberos AP-REQ message. How would SAML attribute authority get the TGT of the user principal and also the service ticket to construct the Kerberos AP-REQ that can be returned to SAML requester?

Will SAML attribute authority and SAML requester run on the same workstation which the user is using so that it can get hold of the user’s credentials?
I am new to SAML and would appreciate if anyone can let me know what typically the SAML requester and SAML attribute authority is?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]