SAML V2.0 Kerberos Web Browser SSO Profile Version 1.0

Allows for transport of assertions using the Kerberos subject confirmation method by standard HTTP user agents with no modification of client software and maximum compatibility with existing deployments. The flow is similar to standard Web Browser SSO, but a Kerberos AP-REQ message is presented by the user agent via the HTTP Negotiate authentication scheme and the Kerberos GSS-API mechanism. The presentation of a valid Kerberos AP-REQ message whose client principal name matches the principal name given in the subject confirmation strengthens the assurance of the resulting authentication context and protects against credential theft.

Produced by:

Security Services (SAML) TC

Voting history:

February 2012

Voting History

OASIS Standard:

Committee Specification 01

HTML
PDF
ODT

XML schemas

Distribution ZIP file

Cite as:

Cite as:
[SAML2KrbSSO] SAML V2.0 Kerberos Web Browser SSO Profile Version 1.0. Edited by Josh Howlett, Thomas Hardjono, Nathan Klingenstein, and Tom Scavo. 07 February 2012. OASIS Committee Specification 01. http://docs.oasis-open.org/security/saml/Post2.0/saml-kerberos-browser-sso/v1.0/cs01/saml-kerberos-browser-sso-v1.0-cs01.html. Latest version: http://docs.oasis-open.org/security/saml/Post2.0/saml-kerberos-browser-sso/v1.0/saml-kerberos-browser-sso-v1.0.html.