[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication
Although Liberty didn't define a Kerberos specific context class, the piece parts were intended to support the first kerberos scenario described below The most relevant parts of the statement would be: 1) PrincipalAuthenticationMechanism = Password 2) Authenticator = SharedSecretDynamicPlaintext (SharedSecretDynamicPlaintext is defined as 'The local system and Authentication Authority share a secret key. The local system uses this to encrypt a randomised string to pass to the Authentication Authority' 3) AuthenticatorTransportProtocol = SSL Paul >-----Original Message----- >From: Linn, John [mailto:email@example.com] >Sent: Wednesday, April 14, 2004 7:30 AM >To: 'Scott Cantor'; 'Tim Alsop' >Cc: firstname.lastname@example.org >Subject: RE: [security-services] RE: AuthenticationMethod / >NameIdentifier and Kerberos authentication > > >I'll also agree with Scott and JohnK on this. As I see it, designating >Kerberos as the method in an assertion issued by a SAML IdP >appropriately >means that the IdP is issuing that assertion based on a >successful Kerberos >protocol transaction with the user's client. An alternative >where the IdP >receives the user's password and itself performs a Kerberos >exchange on the >user's behalf does involve Kerberos but doesn't constitute >Kerberos-based >authentication to the IdP in the same sense. It seems a reasonable >description for this to annotate a top-level password method >indicator with >an authentication context describing something like >"Kerberos-confirmed", >though. > >--jl > >-----Original Message----- >From: Scott Cantor [mailto:email@example.com] >Sent: Tuesday, April 13, 2004 10:24 PM >To: 'Tim Alsop' >Cc: firstname.lastname@example.org >Subject: RE: [security-services] RE: AuthenticationMethod / >NameIdentifier and Kerberos authentication > > >> Anyway, I think JohnK mentioned using an Auth Context instead >> of putting the Kerberos pre-auth in the AuthenticationMethod >> statement ? What was the concensus on this, or has it not >> been discussed in detail yet ? > >The latter. I think everyone agrees that it makes sense, but I >don't know >that Liberty has defined any specific classes or statements >that deal with >Kerberos. > >> Maybe if Kerberos has been used, but not in the way we prefer >> (client in workstation/browser) we could still represent this >> method as a Kerberos method, but put something meaningful >> into a Context statement that gives more details on how >> Kerberos was used to authenticate the user ? That is in >> addition to the pre-auth method ? Just a suggestion ... Comments ? > >Right. My criticism pertained to the old method. However, I >would be equally >opposed to lumping this model into a general Kerberos context >class. I think >it's closer to a "password" class with specific details >provided as to how >the server is checking the password for accuracy that mention Kerberos. > >-- Scott > > >To unsubscribe from this mailing list (and be removed from the >roster of the >OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/security-services/ members/leave _workgroup.php. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave _workgroup.php.