RE: [security-services] Drafts for review: Kerberos & SAML profiles

["Scott Cantor" <cantor.2@osu.edu>]

Josh Howlett wrote on 2009-08-18:
> I think it would be useful to understand whether it is acceptable to
> use subject confirmation methods other than those that are mentioned
> in the  WSS SAML TP spec.

I think I'm coming to believe you're right, that there's no precluding of
other types. Even if there were, I don't find the current TP to be
particularly attractive for newer applications anyway, so I think it's moot.

My reading of the IMI spec suggests to me that ultimately it's really
unspecified how you map particular WS-Trust requirements for proof keys into
specific SAML assertions, so I think that's quite doable using token
profiles in that context.

> Interestingly, WRT the IMI spec (section 12) defines a set of
> identifier-types that are represented through an <Identity> WS-
> Addressing <EndpointReference> property. Two of these are Service
> Principal Name and User Principal name, and the semantics associated
> with those fit the Kerberos use-case.

Sort of in reverse, yes, they tell you who you're getting an assertion from
or sending it to, but I agree that the structure is applicable.

> I've only just skim-read the IMI profile, and so I'm not fully clear
> on what these are intended for. Oddly, each representation (DNS name,
> SPN, UPN, KeyInfo) has text that also describes how the endpoint can
> "prove its right to speak" as the identity. I'm puzzled by this but,
> for the Identity representations I care about, this text seems to be a
> suggestion rather than a stipulation.

The point of it is to inform your dialog with the endpoint. If you're using
Kerberos to authenticate to the IdP, it tells you what the SPN of the IdP is
so you can request a ticket for it.

-- Scott