[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: delegation/intermediaries solution bullets
In lieu of an actual writeup, let me toss out my (and Scott's) intentions for solution proposals for the delegation/intermediaries item. One approach is to profile the simple passing along of a browser-profile SSO assertion by an intermediate to a backend. In many cases this will be sufficient based on the trust relationship between the two. The main change required to make this work well is a change that I think has been suggested for other reasons: to make the interpretation of freshness of the SSO assertion be based not on validity period (ie, NotBefore and NotOnOrAfter conditions) but on IssueInstant and the relying party's acceptable time limits after that. There is probably the need to additionally profile the use of the passed-along assertion based on the nature of the communication from the intermediate to the backend; one flavor for the case where the backend is itself protected by the SAML browser profile; another for SOAP, which presumably means using the WSS SAML token profile (though some might argue against adding a dependency on WSS). The other approach is to provide the ability for the intermediate to obtain a distinct delegation token, specifically a Kerberos service ticket, for the case when the intermediate-backend communication is done via a kerberized application protocol. The proposal will suggest extending the Authentication Authority and SAML protocol to support requesting and returning this token in addition to an authentication statement. This is intended to be consistent with the Kerberos-based solution proposal from John Hughes. It should be easily extensible to support other kinds of delegation tokens. - RL "Bob"