[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentication
> I believe the most recent version of the credentials collector document > was that posted on 4 November of last year, available at: > www.oasis-open.org/apps/org/workgroup/security/download.php/4119/oasi > s-sstc-v2_0-credentials_collector-use_cases-moses-02_d%85.pdf, > but recall that this topic area fell outside SAML 2.0's selected > priorities in subsequent discussion. That's true in the most general sense, but we've been doing profiles that assume credentials collection since 1.0. The part that's out of scope, in my mind, is the actual collector/authority interaction, which is left to implementers to define. And since it's local to a security domain, the need for interoperability in that is less compelling. In this context, it's the KDC/authority relationship that's undefined. Ideally the authority could just be a service principal in the KDC and accept tickets, but if the pre-auth designation is important but missing from the ticket, then it's not that simple. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]