[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication
ext Paul Madsen wrote: >Hi John, I assume you mean adding this attribute to the >PrincipalAuthenticationMechanism in core schema and then using it in a >KerberosProtectedTransport class? > > > Well, the reason I was asking about whether this is specific to Krb is to figure out whether it should be added to the class schema, rather than the main schema. I was thinking that one way to make this work would be to define a base type (SharedSecretChallengeResponseType) that would be extended by KerberosChallengeResponseType to add the pre-auth attribute. >As a complication, while a Principal may use password or smart-card or >PKINIT to authenticate to the KDC, from the point of the view of the SAML >authority that the principal uses a ticket to authenticate to, the >authentication mechanism would be SharedSecretChallengeResponse. > > > Yes, I think I used SharedSecretDynamicPlaintext originally, but it should be SharedSecretChallengeResponse... >Does Kerberos itself allow the KDC to advertise which of the supported >authentication mechanims was used so that the SAML authority could create an >appropriate context statement ? > > Well, so it sounds like this is more of a problem of the pre-auth being transmitted to the SAML authority in the first place. So, we can provide something in the authentication context to hold this information, but the SAML authority won't necessarily know the information to state that some method of pre-auth was used.