IETF Logo Mail Archive

Re: [kitten] GSS-API / SAML as authentication mechanism

Luke Howard Bentata <lukeh@padl.com> Wed, 12 April 2023 08:20 UTC

Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9342C15C298 for <kitten@ietfa.amsl.com>; Wed, 12 Apr 2023 01:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LY-ID-lJq1R for <kitten@ietfa.amsl.com>; Wed, 12 Apr 2023 01:20:16 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29011C152A01 for <kitten@ietf.org>; Wed, 12 Apr 2023 01:20:15 -0700 (PDT)
Received: from auth (localhost [127.0.0.1]) by us.padl.com (8.14.7/8.14.7) with ESMTP id 33C8K2Pn021826 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 12 Apr 2023 09:20:11 +0100
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 33C8K2Pn021826
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1681287614; bh=EGofqjZQrJoKLGNPIQaDzWnzd6dc0XMGGlvMhLGAUh4=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=LererjP3guZVR+AEQRg+tnvkmhs0TTCR5XUSXRHN0fNKIuWzdOQ9188LGZbyOPp2s pyssMWen/Ug2WyyIqvxS8Jck53jFvTiWyyNDzBPlDo+NzPcHMcQD+8iouWAeOK7lVo EvjEfVuvuVwui+vuPvbhC3TcyRX1Am7k9Yrgdcbb0iX6S2Bm/56PMLeVMDTU91PLp4 MYA5qARSteEUVmZk2Hy70Iz4IigTtsaHmPaDc+FMIZxxMSzR+Ao5sdD/i6h5Lx6tx1 4ub4j2tovLc1zgVRdEPCD+YKK0m2Clqoresakr7j6fyzIuT/F6euzVk0ilxtpLD87m 9zAHrUmI4TTcA==
From: Luke Howard Bentata <lukeh@padl.com>
Message-Id: <528C011D-428D-4691-87F0-28E0ADC165B2@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C8669F1E-B8C7-4904-814B-6C2053B4D270"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Wed, 12 Apr 2023 09:20:00 +0100
In-Reply-To: <PN2P287MB0381F58334C75A8ABED02D65F69B9@PN2P287MB0381.INDP287.PROD.OUTLOOK.COM>
Cc: "kitten@ietf.org" <kitten@ietf.org>
To: Srinivas Cheruku <srinivas.cheruku@gmail.com>
References: <PN2P287MB0381F58334C75A8ABED02D65F69B9@PN2P287MB0381.INDP287.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/57ohQrEZCvraTtgL-2jMwrRfXzA>
Subject: Re: [kitten] GSS-API / SAML as authentication mechanism
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 08:20:20 -0000

There’s mech_saml_ec [1] but it was never something I would deploy in production. There are also protocol transition solutions like CloudAP [2] and TktBridgeAP [3] but they require an existing AD infrastructure.

A production ready version of SAML EC would be a nice thing, but to me it seems a line has been drawn in the sand between web and non-web applications and there is no demand for this.

You may also find my experiences with BrowserID of interest. [4]

[1] https://github.com/fedushare/mech_saml_ec <https://github.com/fedushare/mech_saml_ec>
[2] https://syfuhs.net/how-azure-ad-windows-sign-in-works <https://syfuhs.net/how-azure-ad-windows-sign-in-works>
[3] https://github.com/PADL/TktBridgeAP <https://github.com/PADL/TktBridgeAP>
[4] https://hacks.mozilla.org/2013/04/mozilla-persona-for-the-non-web/ <https://hacks.mozilla.org/2013/04/mozilla-persona-for-the-non-web/>

> On 12 Apr 2023, at 8:08 am, Srinivas Cheruku <srinivas.cheruku@gmail.com> wrote:
> 
> Hello All,
>  
> As you know, companies slowly starting thinking on moving away from Kerberos Infrastructure (e.g. MS AD) and relying on MS Azure AD or any other IdP for their authentication needs. We came across some new companies where they do not have any Kerberos infrastructure like MS AD at all. And, there are still thick client applications using GSS-API/Kerberos for the authentication and so was thinking on support for GSS-API/SAML for these client applications.
>  
> I found two references as below:
> SAML Enhanced Client SASL and GSS-API Mechanisms - https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml-ec/ <https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml-ec/>
> RFC 6595 – A Simple Authentication and Security Layer (SASL) and GSS-API Mechanism for the Security Assertion Markup Language (SAML) - https://www.rfc-editor.org/rfc/rfc6595 <https://www.rfc-editor.org/rfc/rfc6595>
>  
> Are there any known implementations of these? 
>  
> I would appreciate much if anyone can let me know if any work done on thick client applications using GSS-API to use SAML as an authentication mechanism.
> 
> Thanks much,
> Srini
>  
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org <mailto:Kitten@ietf.org>
> https://www.ietf.org/mailman/listinfo/kitten <https://www.ietf.org/mailman/listinfo/kitten>

v2.23.0 | Report a Bug | By Email