Re: [KAML] Reminder: BOF proposals to me by October 1
"Tom Scavo" <trscavo@gmail.com> Thu, 22 November 2007 16:29 UTC
Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IvEvK-0004q2-6x; Thu, 22 Nov 2007 11:29:06 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IvEvI-0004pK-UD for kaml@ietf.org; Thu, 22 Nov 2007 11:29:04 -0500
Received: from nf-out-0910.google.com ([64.233.182.184]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IvEvF-00066L-Ku for kaml@ietf.org; Thu, 22 Nov 2007 11:29:04 -0500
Received: by nf-out-0910.google.com with SMTP id d21so2282225nfb for <kaml@ietf.org>; Thu, 22 Nov 2007 08:29:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ml/dmAiyEiftpxiQOIN2bhTj0YH/ErbY73Xb+JwHx5I=; b=HkYEy40n9Kxg1NR35DWRMHyqoizcPesDRvdIIZxBolcqXhZNSF+YpYD+nC90qJuZar/huLQE7X31mtcYd5R6j5NL4c00o/xJ4DqISGLyugy3/GVQPEfyPP4x8jF4K8yfGkpyVZA9kS3CyH+rGBXZgjsjwjMKg0aiReLKtpilEvM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Rz6LYG60fCCq4TwzvI+MOrqUkT3KJMb9uUfGkSdorTNcMhXVfmUnG2YEVZ0CrklMc+vbH9pwlnS+d8KUVh9AJtdI+lgeUBR4bp62IIg2xQsMyx9TGgrF8VkaNPVmvqtAwMr1btsPD8k8kNJ4MchZCeuEnodfzkRIDibdZwrYGZI=
Received: by 10.82.149.8 with SMTP id w8mr1832669bud.1195748939968; Thu, 22 Nov 2007 08:28:59 -0800 (PST)
Received: by 10.82.186.1 with HTTP; Thu, 22 Nov 2007 08:28:59 -0800 (PST)
Message-ID: <ea2af9bd0711220828g62ec6992nbde42a5d7b95c0c@mail.gmail.com>
Date: Thu, 22 Nov 2007 11:28:59 -0500
From: Tom Scavo <trscavo@gmail.com>
To: Josh Howlett <Josh.Howlett@ja.net>
Subject: Re: [KAML] Reminder: BOF proposals to me by October 1
In-Reply-To: <6ED388AA006C454BA35B0098396B9BFB02E4CB6F@uxsrvr20.atlas.ukerna.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <ea2af9bd0709251452y114ee29bs91fcfb6f490e6ffc@mail.gmail.com> <6ED388AA006C454BA35B0098396B9BFB02E4C7D9@uxsrvr20.atlas.ukerna.ac.uk> <ea2af9bd0711160910u70ebb515m35de79fdad8ff606@mail.gmail.com> <6ED388AA006C454BA35B0098396B9BFB02E4CA80@uxsrvr20.atlas.ukerna.ac.uk> <ea2af9bd0711161602h395cd3cbsda2dcbc3173b0ab1@mail.gmail.com> <6ED388AA006C454BA35B0098396B9BFB02E4CB6F@uxsrvr20.atlas.ukerna.ac.uk>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: kaml@ietf.org, Paul Rabinovich <Paul.Rabinovich@exostar.com>
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org
On 11/19/07, Josh Howlett <Josh.Howlett@ja.net> wrote: > > I was > assuming that the RP is wielding a NameID (bound to the ticket) that can > be used, for example, as the <Subject> of an <AuthnQuery>; the AuthN > context may then be returned within an Authentication Statement. This introduces significant new infrastructure and protocol requirements. The most widely deployed SAML implementation (Shibboleth) does not implement the AuthnQuery protocol, so there isn't a single IdP today that could satisfy such a request. More importantly, an AuthnQuery is a query for an assertion describing a previous act of authentication, so now the IdP has to maintain state where none existed before. For production, stateless IdPs, this is most likely a showstopper. You say there is a NameID bound to the ticket. How does the TGS obtain or produce a NameID that the IdP can map to the correct local principal? (Note that the IdP needs a plugin that can perform this mapping, yet another infrastructure requirement.) What is the Format of the NameID? Is it a SAML V2.0 kerberos identifier? If so, this rules out SAML V1.1, which constitutes the bulk of today's SAML deployments. > FWIW, another reason that 'push' might be problematic is that the Ticket > Granting Service may not be aware of the authentication context owing to > the fact that the Authentication Service (in the Kerberos context!) that > the principal authenticates against may be a separate entity from the > TGS; how, therefore, does the TGS learn of the AuthN context from the > AS? In fact, this is exactly how a Shibboleth IdP works today. An external service authenticates the user and passes the principal name to the IdP. From this, the IdP formulates the SAML authn context on its own. In general, the LoA associated with an identity token is a function of the strength of the identity credential used to obtain the token, the token type, the authentication method, and the protocol used to transmit the token to the relying party. Only the authentication method depends on the authentication service, and even this can be inferred by the IdP. > Further, if we assume that the Authentication Service is issuing the > Authentication Assertion (with the LoA) then some other possible issues > resolve themselves; for example, we know that we can set the value of > the NotOnOrAfter attribute to the expiry of the principal's Kerberos > TGT. Actually, if you embed the SAML directly in the ticket, you don't even need to include a NotOnOrAfter attribute since it can be inferred from the containing ticket. There are other similar such benefits of a kerberos-bound SAML token. The SAML assertion need not have all the nitpicking features required by a SAML protocol since the SAML is subordinate to the kerberos, in a sense. No new protocols or extensive infrastructure are required. Tom _______________________________________________ KAML mailing list KAML@ietf.org https://www1.ietf.org/mailman/listinfo/kaml
- [KAML] Reminder: BOF proposals to me by October 1 Sam Hartman
- Re: [KAML] Reminder: BOF proposals to me by Octob… Leif Johansson
- RE: [KAML] Reminder: BOF proposals to me by Octob… Paul Rabinovich
- Re: [KAML] Reminder: BOF proposals to me by Octob… Leif Johansson
- Re: [KAML] Reminder: BOF proposals to me by Octob… Tom Scavo
- RE: [KAML] Reminder: BOF proposals to me by Octob… Paul Rabinovich
- Re: [KAML] Reminder: BOF proposals to me by Octob… Henry B. Hotz
- Re: [KAML] Reminder: BOF proposals to me by Octob… Leif Johansson
- RE: [KAML] Reminder: BOF proposals to me by Octob… Josh Howlett
- Re: [KAML] Reminder: BOF proposals to me by Octob… Tom Scavo
- RE: [KAML] Reminder: BOF proposals to me by Octob… Josh Howlett
- Re: [KAML] Reminder: BOF proposals to me by Octob… Tom Scavo
- RE: [KAML] Reminder: BOF proposals to me by Octob… Josh Howlett
- Re: [KAML] Reminder: BOF proposals to me by Octob… Tom Scavo
- RE: [KAML] Reminder: BOF proposals to me by Octob… Josh Howlett