OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: SAML attributes for Kerberos



[Resending to sstc comments list]


Thanks Russ.

In the model (of the Kerberos Web SSO spec), stopped short of assuming
that the IdP was backed-ended (or collocated) with a full KDC (which
is your scenario I think).

(So, although an implementation could make the IdP into a KDC, the
minimal assumption is that the IdP was a service principal that could
consume/understand an AP_REQ message.
The preference though is have the IdP be a KDC or be able to talk
privately with a KDC).

To answer your question, the attribute profile currently does not (as
yet) support the delivery of pieces of a Kerb message (eg.
ticket/session-key pair).

However, Josh and I have been thinking of ways to to allow the
back-end entities (IdP/KDC and the SP) to exchange secret keys and
tickets, etc. via SAML.
Perhaps including these pieces inside the SAML Kerb attribute message
would allow the attribute message to be used (over TLS/SSL) between
the IdP/KDC and the SP.

/thomas/


__________________________________________


> -----Original Message-----
> From: Russell J. Yount [mailto:rjy@cmu.edu]
> Sent: Wednesday, June 30, 2010 11:28 AM
> To: Thomas Hardjono; cantor.2@osu.edu; jhutz@cmu.edu
> Cc: 'Josh Howlett'; 'Russell J Yount'
> Subject: RE: SAML attributes for Kerberos
> 
> Thomas,
> 
> 	Currently the IDP talks with the KDC using standard Kerberos.
The SP 
> just requests a ticket for a given service and wants a response of
the 
> ticket and session key which we are then creating a ticket file on
the 
> SP file associated with the web session.
> 
> 	So in short we just want to transfer the ticket/session key
pair over 
> the already encrypted SSL between IDP and SP.
> 
> 
> -Russ
> 
> 
> 
> -----Original Message-----
> From: Thomas Hardjono [mailto:hardjono@MIT.EDU]
> Sent: Wednesday, June 30, 2010 11:05 AM
> To: cantor.2@osu.edu; jhutz@cmu.edu; 'Russell J. Yount'
> Cc: Josh Howlett (josh.howlett@gmail.com); Thomas Hardjono
> Subject: RE: SAML attributes for Kerberos
> 
> Thanks Scott -- an my apologies for not including the the schema in 
> the zip. (My bad).
> 
> 
> Jeff/Russell,
> 
> Did you want to send the complete AP_REQ message (from the client to

> the SP), or did you just want to send the ticket portion only?
> 
> cheers,
> 
> /thomas/
> 
> 
> > -----Original Message-----
> > From: Josh Howlett [mailto:josh.howlett@gmail.com]
> > Sent: Tuesday, June 29, 2010 2:16 PM
> > To: oasis sstc
> > Cc: Josh Howlett
> > Subject: Re: [security-services] Proposed Agenda for SSTC Call (29
> June
> > 2010)
> >
> > > The public review for Kerberos items closed with no comments
> > received.
> > >
> > > Scott was looking at the Kerberos Attribute Profile, which had
> > already
> > > gone through public review, and he found two issues.  First, he 
> > > couldn't find a schema, as there was nothing accompanying the
CD.
> > > If there is no schema, then this document can't proceed.
> > > Thomas will look for the schema.
> >
> > I've attached the schema. I was certain that I had done this on 
> > submission, but it appears not :-(
> >
> > > Secondly, Scott has deployers who want to implement this.  We're
> not
> > > sure what the use cases with the APREQ are, but the customer
> demand
> > > that Scott has is for passing actual Kerberos credentials in an 
> > > attribute, and he doesn't know how that is best done.
> >
> > By "credential", do we mean "ticket"? If so, that's the point of
the 
> > AP_REQ message. The AP_REQ is the ticket + authenticator.
> >
> > josh.
> 
> 
> __________________________________________
> 
> 
> > -----Original Message-----
> > From: Scott Cantor [mailto:cantor.2@osu.edu]
> > Sent: Tuesday, June 29, 2010 1:08 PM
> > To: 'Jeffrey Hutzelman'; 'Russell J. Yount'
> > Cc: Thomas Hardjono
> > Subject: SAML attributes for Kerberos
> >
> > So, this document left PR a while ago:
> > http://www.oasis-
> > open.org/apps/org/workgroup/security/download.php/36077
> >
> > (Thomas, I did find the schema for this, it just wasn't reuploaded
> into
> > Kavi with the CD, so it was buried.)
> >
> > I'm led to understand that CMU has a need to express Kerberos 
> > credentials in some apparently "standard form", so could I suggest
> that
> > we try and move this forward to define this as an additional 
> > MessageType?
> >
> > I can produce a Version 2.0 of this profile but I need a pointer
to
> the
> > format that's intended to be used for the credentials.
> >
> > -- Scott
> >
> 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]