OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Strawman: Kerberos Subject Confirmation Method


This is a straw-man for the 'Kerberos Subject Confirmation Method'  
that has been the subject of recent discussion.

It is intended to allow a SAML Requester to confirm an attesting party  
using the Kerberos protocol.

Comments welcome, josh.

---

URI: urn:oasis:names:tc:SAML:2.0:cm:kerberos

A <NameID> element MUST be present within the <SubjectConfirmation>  
element. This element MUST identify an entity using the Kerberos  
Principal Name name identifier type [SAML2Core]. The named Kerberos  
principal is considered to be the subject of the assertion by the  
asserting party, subject to optional constraints on confirmation using  
the attributes that MAY be present in the <SubjectConfirmationData>  
element, as defined by [SAMLCore].

Example: The Kerberos principal named "joe@EXAMPLE.ORG" can confirm  
itself as the subject.

<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:kerberos">
    <NameID type="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">
       joe@EXAMPLE.ORG
    </NameID>
</SubjectConfirmation>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]