security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: AuthenticationMethod / NameIdentifier and Kerberos authentication
- From: Tim Alsop <Tim.Alsop@CyberSafe.Ltd.UK>
- To: Scott Cantor <cantor.2@osu.edu>
- Date: Mon, 12 Apr 2004 12:39:31 +0100
Scott,
I noticed you had
an AI from last F2F regarding representing Kerberos principals in an
assertion.
So far we have been
assuming that the AuthenticationMethod should be :
URI: urn:ietf:rfc:1510
It appears to me
that we could add the pre-auth data type onto this to become
:
URI:
urn:ietf:rfc:1510:padata-type:<n>
<n> is the preauthentication datatype
as specified in the IETF draft or RFC specific to the authentication
type
However, if we have
multiple NameIdentifiers, maybe we want to represent the Format for each
principal that was authenticated to give uniqueness - see below
:
URI:
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos:padata-type:<n>
<n> is
the preauthentication datatype as specified in the IETF draft or RFC specific to
the authentication type
What do you think ?
Once we are in agreement as to what is needed I can write
some normative text for inclusion on the specs.
We also need to consider adding text to the authnrequest
description so that a Kerberos initial ticket (tgt) lifetime can be carried over
into the lifetime of the assertion.
Thanks, Tim.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]