IETF Logo Mail Archive

[kitten] GSS-API / SAML as authentication mechanism

Srinivas Cheruku <srinivas.cheruku@gmail.com> Wed, 12 April 2023 07:09 UTC

Return-Path: <srinivas.cheruku@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC10FC1522C6 for <kitten@ietfa.amsl.com>; Wed, 12 Apr 2023 00:09:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5JXwtcv9ySF for <kitten@ietfa.amsl.com>; Wed, 12 Apr 2023 00:09:02 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AC67C151B06 for <kitten@ietf.org>; Wed, 12 Apr 2023 00:08:57 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1a6715ee82fso484455ad.1 for <kitten@ietf.org>; Wed, 12 Apr 2023 00:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681283336; x=1683875336; h=mime-version:content-language:accept-language:message-id:date :thread-index:thread-topic:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=pBozpPk6G+OWVk/aDI0HVmBhR6eKT+vxxFXJXV2JelQ=; b=mUeOohfCcWNLpnkhG6WRcpUWZMUVatcwaiyng6EBdkp23LSB1jjHlKjLI1Pl9H1KLj J+S4YsDnBtWhOZp9c1v9jj0Z1j8mJi/KJgwtjgKu7YYakCgNl1qVWE7XeV8cdhbpyVRX MHy4HlmxD+Y8WKa53nVrXGXcUpqXnSNcNn1zAE7bWF27z1C4BpZ3htax5nOWV5kRbWJD nOCBk3iy3FnUGo6i7cQtw4Vz1SqK3Bb2dTPO2nZxMb9IwjFEe1vxQ/Yk84iKyWmzVQ0G dM2Jz9peeWClcWtj5Pqu5rwgP4ft2lLWLgEkk7Du24oHAotqMGw+O0i5HYNBo1k8wlJu B1Gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681283336; x=1683875336; h=mime-version:content-language:accept-language:message-id:date :thread-index:thread-topic:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=pBozpPk6G+OWVk/aDI0HVmBhR6eKT+vxxFXJXV2JelQ=; b=mWfFc6xpSdBRj+eNwhlnquAVHsrJKoANL18wNbc7GWAR1VcEUDJSNDrwkZvZKIfVVC YRTf2peE7jMb/UMbvEHJ5wU/pjSBKATcQ15CawymTLpSfIiigaDPqzfJpM+FxbaUpMkc dB91pg5Jje+38tn4Fu/KuOiWT5TxFDspZDAgGLFxbmBsnxUSr6zi5N4MJr0Luf4MCwF1 cTNvileiX6kWq6EbMO370RiRPk716uGNogrCWxrCVwmhVJj2DHRvLVMlhi89u/KnJf/1 GRvPkDOrIChJM+PTHCvZ3ioOaOwMJ4EkH/80O8GBNW08xkswce3FHlYr7dpo3DkyzB5N Bh6A==
X-Gm-Message-State: AAQBX9eyQ6Lw2Tfzy8YEljG0Ex1uhtcR2cfaVd7X0fcFc7hc9z5vMO4M FbUHz6bFn1+w3JgGAAesWI8oNkaKDHE=
X-Google-Smtp-Source: AKy350YBOxLSTUXQmtkPCM2qWKR0IoloVD2lNtniMPs4bIBF/IQdW7YVsyOfPcubskJPWwKE8FOFBw==
X-Received: by 2002:aa7:97a2:0:b0:637:2019:c04a with SMTP id d2-20020aa797a2000000b006372019c04amr9965089pfq.15.1681283336282; Wed, 12 Apr 2023 00:08:56 -0700 (PDT)
Received: from PN2P287MB0381.INDP287.PROD.OUTLOOK.COM ([2603:1046:c04:835::5]) by smtp.gmail.com with ESMTPSA id d21-20020aa78155000000b0062e0010c6c1sm10855071pfn.164.2023.04.12.00.08.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Apr 2023 00:08:55 -0700 (PDT)
From: Srinivas Cheruku <srinivas.cheruku@gmail.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: GSS-API / SAML as authentication mechanism
Thread-Index: AQHZbQzPmEPWDNuNwkGlV9EagAqxHA==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Wed, 12 Apr 2023 07:08:52 +0000
Message-ID: <PN2P287MB0381F58334C75A8ABED02D65F69B9@PN2P287MB0381.INDP287.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-IN
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_PN2P287MB0381F58334C75A8ABED02D65F69B9PN2P287MB0381INDP_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/LfuVuvKddK7ztlEPLV85qwhSzpU>
Subject: [kitten] GSS-API / SAML as authentication mechanism
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 07:09:07 -0000

Hello All,

As you know, companies slowly starting thinking on moving away from Kerberos Infrastructure (e.g. MS AD) and relying on MS Azure AD or any other IdP for their authentication needs. We came across some new companies where they do not have any Kerberos infrastructure like MS AD at all. And, there are still thick client applications using GSS-API/Kerberos for the authentication and so was thinking on support for GSS-API/SAML for these client applications.

I found two references as below:

  1.  SAML Enhanced Client SASL and GSS-API Mechanisms - https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml-ec/
  2.  RFC 6595 – A Simple Authentication and Security Layer (SASL) and GSS-API Mechanism for the Security Assertion Markup Language (SAML) - https://www.rfc-editor.org/rfc/rfc6595

Are there any known implementations of these?

I would appreciate much if anyone can let me know if any work done on thick client applications using GSS-API to use SAML as an authentication mechanism.

Thanks much,
Srini

v2.23.0 | Report a Bug | By Email