Re: [KAML] Reminder: BOF proposals to me by October 1

"Tom Scavo" <> Thu, 22 November 2007 16:29 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IvEvK-0004q2-6x; Thu, 22 Nov 2007 11:29:06 -0500
Received: from [] ( by with esmtp (Exim 4.43) id 1IvEvI-0004pK-UD for; Thu, 22 Nov 2007 11:29:04 -0500
Received: from ([]) by with esmtp (Exim 4.43) id 1IvEvF-00066L-Ku for; Thu, 22 Nov 2007 11:29:04 -0500
Received: by with SMTP id d21so2282225nfb for <>; Thu, 22 Nov 2007 08:29:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ml/dmAiyEiftpxiQOIN2bhTj0YH/ErbY73Xb+JwHx5I=; b=HkYEy40n9Kxg1NR35DWRMHyqoizcPesDRvdIIZxBolcqXhZNSF+YpYD+nC90qJuZar/huLQE7X31mtcYd5R6j5NL4c00o/xJ4DqISGLyugy3/GVQPEfyPP4x8jF4K8yfGkpyVZA9kS3CyH+rGBXZgjsjwjMKg0aiReLKtpilEvM=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Rz6LYG60fCCq4TwzvI+MOrqUkT3KJMb9uUfGkSdorTNcMhXVfmUnG2YEVZ0CrklMc+vbH9pwlnS+d8KUVh9AJtdI+lgeUBR4bp62IIg2xQsMyx9TGgrF8VkaNPVmvqtAwMr1btsPD8k8kNJ4MchZCeuEnodfzkRIDibdZwrYGZI=
Received: by with SMTP id w8mr1832669bud.1195748939968; Thu, 22 Nov 2007 08:28:59 -0800 (PST)
Received: by with HTTP; Thu, 22 Nov 2007 08:28:59 -0800 (PST)
Message-ID: <>
Date: Thu, 22 Nov 2007 11:28:59 -0500
From: "Tom Scavo" <>
To: "Josh Howlett" <>
Subject: Re: [KAML] Reminder: BOF proposals to me by October 1
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <> <> <> <> <> <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc:, Paul Rabinovich <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On 11/19/07, Josh Howlett <> wrote:
> I was
> assuming that the RP is wielding a NameID (bound to the ticket) that can
> be used, for example, as the <Subject> of an <AuthnQuery>; the AuthN
> context may then be returned within an Authentication Statement.

This introduces significant new infrastructure and protocol
requirements.  The most widely deployed SAML implementation
(Shibboleth) does not implement the AuthnQuery protocol, so there
isn't a single IdP today that could satisfy such a request.  More
importantly, an AuthnQuery is a query for an assertion describing a
previous act of authentication, so now the IdP has to maintain state
where none existed before.  For production, stateless IdPs, this is
most likely a showstopper.

You say there is a NameID bound to the ticket.  How does the TGS
obtain or produce a NameID that the IdP can map to the correct local
principal?  (Note that the IdP needs a plugin that can perform this
mapping, yet another infrastructure requirement.)  What is the Format
of the NameID?  Is it a SAML V2.0 kerberos identifier?  If so, this
rules out SAML V1.1, which constitutes the bulk of today's SAML

> FWIW, another reason that 'push' might be problematic is that the Ticket
> Granting Service may not be aware of the authentication context owing to
> the fact that the Authentication Service (in the Kerberos context!) that
> the principal authenticates against may be a separate entity from the
> TGS; how, therefore, does the TGS learn of the AuthN context from the
> AS?

In fact, this is exactly how a Shibboleth IdP works today.  An
external service authenticates the user and passes the principal name
to the IdP.  From this, the IdP formulates the SAML authn context on
its own.

In general, the LoA associated with an identity token is a function of
the strength of the identity credential used to obtain the token, the
token type, the authentication method, and the protocol used to
transmit the token to the relying party.  Only the authentication
method depends on the authentication service, and even this can be
inferred by the IdP.

> Further, if we assume that the Authentication Service is issuing the
> Authentication Assertion (with the LoA) then some other possible issues
> resolve themselves; for example, we know that we can set the value of
> the NotOnOrAfter attribute to the expiry of the principal's Kerberos
> TGT.

Actually, if you embed the SAML directly in the ticket, you don't even
need to include a NotOnOrAfter attribute since it can be inferred from
the containing ticket.  There are other similar such benefits of a
kerberos-bound SAML token.  The SAML assertion need not have all the
nitpicking features required by a SAML protocol since the SAML is
subordinate to the kerberos, in a sense.  No new protocols or
extensive infrastructure are required.


KAML mailing list