OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Question to SSTC -- RE: Questions Regarding SAML 2.0 Conformance

On 7/8/11 1:22 PM, "Steve Finegan" <SFinegan@agiliance.com> wrote:

>The use case we are trying to address is to provide a seamless experience
>enterprise users within a domain who have already logged on to the domain
>through Kerberos. When they access our application, we want to provide the
>ability for all or a subset of users to be passed right through to our
>application. This is, of course, for on-site deployments and not cloud
>deployments. SAML will be for hosted deployments.

It's extremely common to handle that with dual URLs and tricks like that,
to allow separate software to handle things. SPNEGO is far from seamless
in practice, and isn't even enabled by default on many browsers, so there
are provisioning and error handling challenges.

>There is an RFC out for SPNEGO-based Kerberos and NTLM HTTP Authentication
>in Microsoft Windows, but I am having a challenge obtaining information on
>what needs to be done to enable a web application to actually use these
>capabilities within our application.

The application shouldn't be involved, it's the web server's job. The
app's job is to look at REMOTE_USER, at least for simple identity.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]