OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services-comment] Fwd: SAML attributes for Kerberos

> > (3) use the Kerberos S4U mechanisms, where the IdP obtains a ticket
> > from the KDC on behalf of the SP. The SP uses the already-defined
> > Kerberos Attribute Profile facilities to request the ticket from the
> > IdP.
> >
> > On the basis of the information available to me, (3) is my suggested
> > approach.

The specific case we have in mind, I think, is one where the user's password
will be available to the IdP so that a TGT can be obtained wihtout S4U.

The question at hand seems to be what needs to be in the assertion, and I'll
let CMU address why they believe the AP_REQ isn't the right thing to
transmit.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]