[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Updated Kerberos docs for next SSTC Call
On 11 Sep 2009, at 16:45, Thomas Hardjono wrote: > Folks, > > I have just uploaded additional drafts related to the Kerberos work: > > (a) Kerberos Attribute profile (draft-02): > http://www.oasis-open.org/apps/org/workgroup/security/download.php/34160/sstc-saml-attribute-kerberos-02.odt > > (b) Kerberos Subject Confirmation Method (draft-00): > http://www.oasis-open.org/apps/org/workgroup/security/download.php/34161/sstc-saml-kerberos-subject-confirmation-method%2000.odt > > We look forward to comments/inputs regarding these docs for the next > SSTC Call (Sept 22, 2009). I thought it might be useful to provide some use-case context to these. In the first use-case, the Kerberos Subject Confirmation Method will be profiled with the Web SSO Profile within another document that I'm working on: the Kerberos Web SSO Profile. It is conceptually very similar to the HoK Web SSO Profile. Here's the abstract: "The SAML V2.0 Kerberos Web Browser SSO Profile allows for transport of assertions bearing a Kerberos Subject Confirmation Method by standard HTTP user agents with no modification of client software and maximum compatibility with existing deployments. The flow is similar to standard Web Browser SSO, but a Kerberos service ticket presented by the user agent via a Kerberos/GSS/Negotiate handshake names a Kerberos principal. The presentation of a valid Kerberos service ticket whose user principal name matches the principal name given in the Subject Confirmation element strengthens the assurance of the resulting authentication context and protects against credential theft. In addition, the profile also enables discovery of the Identity Provider by attempting to match the user principal's realm, given in the Kerberos ticket, to realms named in SAML metadata. This avoids or mitigates the requirement for human interaction, improving the user experience with Service Providers that are associated with two or more Identity Providers." The second use-case is extending the use of Kerberos-based evidence in web services. I'm currently modeling this as the STP in which the client presents a SAML assertion containing a Kerberos attribute statement. This assertion may also contain a Kerberos Subject Confirmation. The final use-case is enabling the use of Kerberos to establish trust between SAML entities, allowing the exclusive use of Kerberos within a SAML deployment. josh.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]