OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: AuthenticationMethod / NameIdentifier and Kerberos authentication


Scott,
 
I noticed you had an AI from last F2F regarding representing Kerberos principals in an assertion.
 
So far we have been assuming that the AuthenticationMethod should be :
 
URI: urn:ietf:rfc:1510
 
It appears to me that we could add the pre-auth data type onto this to become :
 
URI: urn:ietf:rfc:1510:padata-type:<n>
<n> is the preauthentication datatype as specified in the IETF draft or RFC specific to the authentication type
 
However, if we have multiple NameIdentifiers, maybe we want to represent the Format for each principal that was authenticated to give uniqueness - see below :
 
URI: urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos:padata-type:<n>
<n> is the preauthentication datatype as specified in the IETF draft or RFC specific to the authentication type
 
What do you think ?
 
Once we are in agreement as to what is needed I can write some normative text for inclusion on the specs.
 
We also need to consider adding text to the authnrequest description so that a Kerberos initial ticket (tgt) lifetime can be carried over into the lifetime of the assertion.
 
Thanks, Tim.
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]