IETF Logo Mail Archive

Re: [kitten] GSS-API / SAML as authentication mechanism

Srinivas Cheruku <srinivas.cheruku@gmail.com> Wed, 12 April 2023 10:35 UTC

Return-Path: <srinivas.cheruku@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC48AC13AE4C for <kitten@ietfa.amsl.com>; Wed, 12 Apr 2023 03:35:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojhQz_L_06m1 for <kitten@ietfa.amsl.com>; Wed, 12 Apr 2023 03:35:39 -0700 (PDT)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B490C151B20 for <kitten@ietf.org>; Wed, 12 Apr 2023 03:35:39 -0700 (PDT)
Received: by mail-pj1-x1036.google.com with SMTP id q15-20020a17090a2dcf00b0023efab0e3bfso14034065pjm.3 for <kitten@ietf.org>; Wed, 12 Apr 2023 03:35:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681295739; x=1683887739; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=m65/SK9Hyqe+cxdzMageQHMxV8Lv3sPuZ4TRtE7WTAQ=; b=o1WiAwdxeGbnYy1nFxaEQJMprYzVkaAn4W12WfJMq8WNT6NEdCb6mQchsxXskQt/zu IpMCRS+AehTZnNPo8AYBAVPZaMDtl76+rPNQEZTe24BvMBmRiS35Cpiex+q1VCbDnmcv jLGFo9Z+Mt2AfllNhLBOEAIiJbpIZJlN+FzadS2VFLHSHZ+5TsUTHZBQb1s20uI25x8Q mYLnr9yWiD8kNl7WCvZYYRlyHPUfGBkHTvckgNSG35RlxvgFTmFYIPFgdEHsYc3Aql+S M6vkARZ6NYnQoSSzsm4d+ubysscj3eJ+j1g2SKiuSnwPQO+v0uMqj18hK5wxf0dVxa5+ JMXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681295739; x=1683887739; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=m65/SK9Hyqe+cxdzMageQHMxV8Lv3sPuZ4TRtE7WTAQ=; b=v+EzXVO4GzMyksJEuX2azRyI2QefISpXAbtawimG3q4VJAnvpAW6hANToGaZXCFlcH 8CprP1ZC87CXUN8cS2AhDpj41oNKhj6Rf/t92U25AEFvp3/3e8xJsg/Vm/CtI74SnuG4 A5NopBme37MHvyrxAW1AuXAgZ893WhFevPmcw9sMJJHnRcUs5vHPmMOrFBu243KwGtK/ OGlmMQQWw6MN0Za/BPr8LAQ8EPHYbeSSJVm7KsQ0ArsWvu42zheis0Jf/xpsxC8v2qhd 1YFqKP+kEqC4Tvk1mmZD37tHrCdY1vnY7o0o/m55eeVMLodpidzUR3hMKP4UPbwP4weM A51w==
X-Gm-Message-State: AAQBX9evnfdvhR7XYOuKwFpfNDNbMghHdnz4QQ99c7iTwp43sMaGcRjM 4AyiwJiKoUd/TWwIrOdwXgcyzTwbne4=
X-Google-Smtp-Source: AKy350Zwgbf65Lns37Le3NXynA0zj3fE4cuOp0gouJdDwKaVW1G2slNFdc0K5lGPKmKeh8R7bvD6Mw==
X-Received: by 2002:a05:6a20:2927:b0:d9:27f7:8c4a with SMTP id t39-20020a056a20292700b000d927f78c4amr2162540pzf.0.1681295738903; Wed, 12 Apr 2023 03:35:38 -0700 (PDT)
Received: from PN2P287MB0381.INDP287.PROD.OUTLOOK.COM ([2603:1046:c04:835::5]) by smtp.gmail.com with ESMTPSA id z15-20020aa791cf000000b0062dae524006sm11446585pfa.157.2023.04.12.03.35.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Apr 2023 03:35:38 -0700 (PDT)
From: Srinivas Cheruku <srinivas.cheruku@gmail.com>
To: Luke Howard Bentata <lukeh@padl.com>
CC: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] GSS-API / SAML as authentication mechanism
Thread-Index: AQHZbQzPmEPWDNuNwkGlV9EagAqxHK8nVQwAgAAkoRk=
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Wed, 12 Apr 2023 10:35:35 +0000
Message-ID: <PN2P287MB03815FB1A20012E2856DAE71F69B9@PN2P287MB0381.INDP287.PROD.OUTLOOK.COM>
References: <PN2P287MB0381F58334C75A8ABED02D65F69B9@PN2P287MB0381.INDP287.PROD.OUTLOOK.COM> <528C011D-428D-4691-87F0-28E0ADC165B2@padl.com>
In-Reply-To: <528C011D-428D-4691-87F0-28E0ADC165B2@padl.com>
Accept-Language: en-GB, en-US
Content-Language: en-IN
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_PN2P287MB03815FB1A20012E2856DAE71F69B9PN2P287MB0381INDP_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/zZJXnQyZ56C7fFFP9amJnX8eTW8>
Subject: Re: [kitten] GSS-API / SAML as authentication mechanism
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 10:35:44 -0000

Hello Luke,

Thank you very much for this information.

Having existing AD infrastructure is not an option and so we are trying to explore the options. I will read the draft and also the mech-saml-ec implementation to understand better

Thanks,
Srini

From: Luke Howard Bentata <lukeh@padl.com>
Date: Wednesday, 12 April 2023 at 13:50
To: Srinivas Cheruku <srinivas.cheruku@gmail.com>
Cc: kitten@ietf.org <kitten@ietf.org>
Subject: Re: [kitten] GSS-API / SAML as authentication mechanism
There’s mech_saml_ec [1] but it was never something I would deploy in production. There are also protocol transition solutions like CloudAP [2] and TktBridgeAP [3] but they require an existing AD infrastructure.


A production ready version of SAML EC would be a nice thing, but to me it seems a line has been drawn in the sand between web and non-web applications and there is no demand for this.

You may also find my experiences with BrowserID of interest. [4]

[1] https://github.com/fedushare/mech_saml_ec
[2] https://syfuhs.net/how-azure-ad-windows-sign-in-works
[3] https://github.com/PADL/TktBridgeAP
[4] https://hacks.mozilla.org/2013/04/mozilla-persona-for-the-non-web/

On 12 Apr 2023, at 8:08 am, Srinivas Cheruku <srinivas.cheruku@gmail.com<mailto:srinivas.cheruku@gmail.com>> wrote:

Hello All,

As you know, companies slowly starting thinking on moving away from Kerberos Infrastructure (e.g. MS AD) and relying on MS Azure AD or any other IdP for their authentication needs. We came across some new companies where they do not have any Kerberos infrastructure like MS AD at all. And, there are still thick client applications using GSS-API/Kerberos for the authentication and so was thinking on support for GSS-API/SAML for these client applications.

I found two references as below:

  1.  SAML Enhanced Client SASL and GSS-API Mechanisms - https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml-ec/
  2.  RFC 6595 – A Simple Authentication and Security Layer (SASL) and GSS-API Mechanism for the Security Assertion Markup Language (SAML) - https://www.rfc-editor.org/rfc/rfc6595

Are there any known implementations of these?

I would appreciate much if anyone can let me know if any work done on thick client applications using GSS-API to use SAML as an authentication mechanism.

Thanks much,
Srini

_______________________________________________
Kitten mailing list
Kitten@ietf.org<mailto:Kitten@ietf.org>
https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email