[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
> Tim> a real kerberos client is needed to authetnicate the > user on either workstation, browser, webserver, or somewhere > else. The reference in SAML doc only needs to show how how > the principal name from an already authenticated user or > application can be used to create an assertion and what the > assertion content looks like. Do you agree ? I don't think so. At least within the context of the browser profile, what I'm saying is that using :1510 when the browser is giving the password to the server is disingenuous. I think that's been discussed. It seems like the point of the authn assertion and the method/context has to factor in how the credentials get validated and that has to take into account the user/client interaction. So, no, I don't think it's useful to say that a server that gets a password over HTTP and then gets a TGT should be free to say :1510 instead of :password or :passwordOverTLS or whatever. If that's what happens, I can't imagine attaching much importance to that information. > Tim> It is not the ticket that has principal@realm, since the > Kerberos ticket is just encrypted data that is used to > determine the identity (ie. principal name) of the initiator. I meant colloquially, people tend to say "it's in the ticket", meaning the credentials that you give to the server. My point is that how you preauthenticate to get the TGT has nothing to do with how your principal identity would be expressed. Is it even the case that your credentials at a service can be used to determine how you pre-authenticated? I didn't think that was carried along, but maybe I'm wrong. > Tim> does this mean you are proposing a nameid format called > 1510 instead of 'kerberos' as I indicated above ? Of course I > can see your point about not wanting to use padata-type for > NameID and I am happy with that, just wanted to know about > the kerberos/1510 reference in NameID format. No, I used kerberos, not 1510. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]