RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentication

[Scott Cantor <cantor.2@osu.edu>]

> I believe the most recent version of the credentials collector document
> was that posted on 4 November of last year, available at:
> www.oasis-open.org/apps/org/workgroup/security/download.php/4119/oasi
> s-sstc-v2_0-credentials_collector-use_cases-moses-02_d%85.pdf,
>  but recall that this topic area fell outside SAML 2.0's selected
> priorities in subsequent discussion. 

That's true in the most general sense, but we've been doing profiles that
assume credentials collection since 1.0. The part that's out of scope, in my
mind, is the actual collector/authority interaction, which is left to
implementers to define. And since it's local to a security domain, the need
for interoperability in that is less compelling.

In this context, it's the KDC/authority relationship that's undefined.
Ideally the authority could just be a service principal in the KDC and
accept tickets, but if the pre-auth designation is important but missing
from the ticket, then it's not that simple.

-- Scott