[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication
I'll also agree with Scott and JohnK on this. As I see it, designating Kerberos as the method in an assertion issued by a SAML IdP appropriately means that the IdP is issuing that assertion based on a successful Kerberos protocol transaction with the user's client. An alternative where the IdP receives the user's password and itself performs a Kerberos exchange on the user's behalf does involve Kerberos but doesn't constitute Kerberos-based authentication to the IdP in the same sense. It seems a reasonable description for this to annotate a top-level password method indicator with an authentication context describing something like "Kerberos-confirmed", though. --jl -----Original Message----- From: Scott Cantor [mailto:cantor.2@osu.edu] Sent: Tuesday, April 13, 2004 10:24 PM To: 'Tim Alsop' Cc: security-services@lists.oasis-open.org Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication > Anyway, I think JohnK mentioned using an Auth Context instead > of putting the Kerberos pre-auth in the AuthenticationMethod > statement ? What was the concensus on this, or has it not > been discussed in detail yet ? The latter. I think everyone agrees that it makes sense, but I don't know that Liberty has defined any specific classes or statements that deal with Kerberos. > Maybe if Kerberos has been used, but not in the way we prefer > (client in workstation/browser) we could still represent this > method as a Kerberos method, but put something meaningful > into a Context statement that gives more details on how > Kerberos was used to authenticate the user ? That is in > addition to the pre-auth method ? Just a suggestion ... Comments ? Right. My criticism pertained to the old method. However, I would be equally opposed to lumping this model into a general Kerberos context class. I think it's closer to a "password" class with specific details provided as to how the server is checking the password for accuracy that mention Kerberos. -- Scott To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave _workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]