RE: [KAML] Chicago bar-BOF summary

"Josh Howlett" <> Fri, 24 August 2007 11:00 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IOWtg-0000Sd-9J; Fri, 24 Aug 2007 07:00:12 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1IOWtf-0000SN-G5 for; Fri, 24 Aug 2007 07:00:11 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1IOWte-0007kJ-VO for; Fri, 24 Aug 2007 07:00:11 -0400
Received: from ([] by with esmtp (Exim 4.50) id 1IOWtY-0004LD-Lw; Fri, 24 Aug 2007 12:00:04 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [KAML] Chicago bar-BOF summary
Date: Fri, 24 Aug 2007 11:59:56 +0100
Message-ID: <>
Thread-Topic: [KAML] Chicago bar-BOF summary
Thread-Index: Acfk+KQUdsMM3V+PROWEr5ye/tNYZwBQDVPQ
From: "Josh Howlett" <>
To: "Leif Johansson" <>, <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: Josh Howlett <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

> The use-cases:
> 1. Was a smart-card used?

Just to clarify; is this use-case describing 1) "LoA" for Kerberos or 2)
extending SAML LoA to permit richer expressions?
> 2. The standarized PAC
> An AD domain controller includes data about the groups a user 
> is a member of in the PA-DATA field of the KDC-REP. A 
> generalization of this concept might be to include a SAML 
> authentication response in the PA-DATA.

...presumably this could be further generalised to allow assertions in
general, or even lower-level constructs such as an artifact (pointing to
an assertion)?

> Hope this is enough to get things started. I know the
> smart-card use- case was discussed on the heimdal 
> list (although possibly not in the generality I 
> presented above). Other use-cases have been discussed
> on other lists.

I'm curious whether we can use SAML, and the trust fabrics that are
realised through SAML federation metadata, to support some kind of
cross-realm Kerberos operation - perhaps using a SAML-based profile for
inter-KDC communication (following PKCROSS' example)?

The use-case would be a visitor requiring access to some local
Kerberos-protected network resource, but no local credentials.

However, such a profile might also provide a way to avoid using the Web
SSO Profile (in a browser context, obviously) and therefore side-step
the associated IdP "discovery problem". The browser could authenticate
using Negotiate (anonymously/pseudonymously) to the SP; authorisation
could subsequently be performed using the familiar SAML-based
mechanisms; perhaps boot-strapped through an artifact returned in the
PAC (which is used as the discovery 'cue').

best regards, josh.

KAML mailing list