[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: SAML attributes for Kerberos
[Resending to sstc comments list] Thanks Russ. In the model (of the Kerberos Web SSO spec), stopped short of assuming that the IdP was backed-ended (or collocated) with a full KDC (which is your scenario I think). (So, although an implementation could make the IdP into a KDC, the minimal assumption is that the IdP was a service principal that could consume/understand an AP_REQ message. The preference though is have the IdP be a KDC or be able to talk privately with a KDC). To answer your question, the attribute profile currently does not (as yet) support the delivery of pieces of a Kerb message (eg. ticket/session-key pair). However, Josh and I have been thinking of ways to to allow the back-end entities (IdP/KDC and the SP) to exchange secret keys and tickets, etc. via SAML. Perhaps including these pieces inside the SAML Kerb attribute message would allow the attribute message to be used (over TLS/SSL) between the IdP/KDC and the SP. /thomas/ __________________________________________ > -----Original Message----- > From: Russell J. Yount [mailto:rjy@cmu.edu] > Sent: Wednesday, June 30, 2010 11:28 AM > To: Thomas Hardjono; cantor.2@osu.edu; jhutz@cmu.edu > Cc: 'Josh Howlett'; 'Russell J Yount' > Subject: RE: SAML attributes for Kerberos > > Thomas, > > Currently the IDP talks with the KDC using standard Kerberos. The SP > just requests a ticket for a given service and wants a response of the > ticket and session key which we are then creating a ticket file on the > SP file associated with the web session. > > So in short we just want to transfer the ticket/session key pair over > the already encrypted SSL between IDP and SP. > > > -Russ > > > > -----Original Message----- > From: Thomas Hardjono [mailto:hardjono@MIT.EDU] > Sent: Wednesday, June 30, 2010 11:05 AM > To: cantor.2@osu.edu; jhutz@cmu.edu; 'Russell J. Yount' > Cc: Josh Howlett (josh.howlett@gmail.com); Thomas Hardjono > Subject: RE: SAML attributes for Kerberos > > Thanks Scott -- an my apologies for not including the the schema in > the zip. (My bad). > > > Jeff/Russell, > > Did you want to send the complete AP_REQ message (from the client to > the SP), or did you just want to send the ticket portion only? > > cheers, > > /thomas/ > > > > -----Original Message----- > > From: Josh Howlett [mailto:josh.howlett@gmail.com] > > Sent: Tuesday, June 29, 2010 2:16 PM > > To: oasis sstc > > Cc: Josh Howlett > > Subject: Re: [security-services] Proposed Agenda for SSTC Call (29 > June > > 2010) > > > > > The public review for Kerberos items closed with no comments > > received. > > > > > > Scott was looking at the Kerberos Attribute Profile, which had > > already > > > gone through public review, and he found two issues. First, he > > > couldn't find a schema, as there was nothing accompanying the CD. > > > If there is no schema, then this document can't proceed. > > > Thomas will look for the schema. > > > > I've attached the schema. I was certain that I had done this on > > submission, but it appears not :-( > > > > > Secondly, Scott has deployers who want to implement this. We're > not > > > sure what the use cases with the APREQ are, but the customer > demand > > > that Scott has is for passing actual Kerberos credentials in an > > > attribute, and he doesn't know how that is best done. > > > > By "credential", do we mean "ticket"? If so, that's the point of the > > AP_REQ message. The AP_REQ is the ticket + authenticator. > > > > josh. > > > __________________________________________ > > > > -----Original Message----- > > From: Scott Cantor [mailto:cantor.2@osu.edu] > > Sent: Tuesday, June 29, 2010 1:08 PM > > To: 'Jeffrey Hutzelman'; 'Russell J. Yount' > > Cc: Thomas Hardjono > > Subject: SAML attributes for Kerberos > > > > So, this document left PR a while ago: > > http://www.oasis- > > open.org/apps/org/workgroup/security/download.php/36077 > > > > (Thomas, I did find the schema for this, it just wasn't reuploaded > into > > Kavi with the CD, so it was buried.) > > > > I'm led to understand that CMU has a need to express Kerberos > > credentials in some apparently "standard form", so could I suggest > that > > we try and move this forward to define this as an additional > > MessageType? > > > > I can produce a Version 2.0 of this profile but I need a pointer to > the > > format that's intended to be used for the credentials. > > > > -- Scott > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]