[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: SAML attributes for Kerberos
Forwarding to the list, because I wasn't subscribed when I initially sent this... Begin forwarded message: > From: Josh Howlett <josh.howlett@gmail.com> > Date: 30 June 2010 21:50:50 BST > To: "Thomas Hardjono" <ietf@hardjono.net> > Cc: Josh Howlett <josh.howlett@gmail.com>, <security-services-comment@lists.oasis-open.org > >, "Russell J. Yount" <rjy@cmu.edu>, <cantor.2@osu.edu>, <jhutz@cmu.edu > >, "Thomas Hardjono" <hardjono@mit.edu> > Subject: Re: SAML attributes for Kerberos > > > On 30 Jun 2010, at 20:06, Thomas Hardjono wrote: >> To answer your question, the attribute profile currently does not (as >> yet) support the delivery of pieces of a Kerb message (eg. >> ticket/session-key pair). > > /If/ I've understood the use-case correctly (n-tier, SP wanting > access to a Kerberised service), I believe that we can address this > in three ways. The first two are fairly obvious: > > (1) create a new MessageType in the attribute schema for this payload. > (2) define a schema extension point to permit (1) as an extension. > > (These are semantically equivalent.) > > (3) use the Kerberos S4U mechanisms, where the IdP obtains a ticket > from the KDC on behalf of the SP. The SP uses the already-defined > Kerberos Attribute Profile facilities to request the ticket from the > IdP. > > On the basis of the information available to me, (3) is my suggested > approach. > > josh.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]