OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentication

> I think the problem here is that I am considering the bigger 
> picture outside of the browser WebSSO profile and you are 
> considering the specifics of the WebSSO profile and how this 
> might, or might not reference Kerberos authentication. Is 
> this roughly correct ? 

Yes, I'm at least saying that the context of use matters. I wasn't making a
blanket statement.

> If so, I can now see that in the context of the WebSSO 
> profile in SAML 2.0 having a Kerberos client on a web server 
> to validate userid/password could be considered as the same 
> as any other password validation method installed on the web 
> server and I guess this is your point - hence you are 
> suggesting if this is the case the assertion should not use 
> the Kerberos AuthMethod name format, but some other 
> representation of the principal ? If so, what are you 
> suggesting is used instead ?

No, I'm not saying anything about how to represent the principal's name.
That's totally orthogonal to this issue. The Kerberos name format has
nothing to do with how the principal has authenticated at a given point in
time, I'm sorry if that's been misunderstood. We have never said anything
about requiring specific forms of authentication in order to "allow" the use
of a given Format.

I'm talking only about the AuthenticationMethod defined in SAML 1.1 that
says urn:ietf:rfc:1510 or whatever it was.

To use another example, we have a Format for X.500 names, but nobody ever
said that to use it you have to authenticate with X.509 certs or an LDAP
bind. Or even stretching further, DCE cells can be named globally, and you
could argue that a DCE principal in such a cell could be named either in
Kerberos format or in X.500 format, as required in an application.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]