RBAC and Kerberos?

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Thu Jun 3 04:24:18 EDT 2004 

Christopher,

I am currently working with OASIS SSTC to progress Kerberos/SAML
integration standards.

If you can explain to me in a bit more detail off-list how you think
SAML and Kerberos should work together I will be able to let you know if
our current work in OASIS covers your needs.

Thanks,

Tim Alsop

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Nebergall, Christopher
Sent: 03 June 2004 00:06
To: 'Digant Kasundra'; bart.w.jenkins; kerberos at mit.edu
Subject: RE: RBAC and Kerberos?

>>>Kerberos fits in best as an AuthN system.  It can very easily tie
into
LDAP which can support your AuthZ needs.

This is true within a single enterprise.   LDAP support for
authorization
becomes more difficult once you are talking about federation between
different organizations.  It requires you to expose your directory
server
outside your internal firewall and for partner site(s) to have intimate
knowledge of your directory schema.  In the web authentication world
SAML
was developed to ease some of these some of these burdens by defining a
language to share attributes more easily. Does anyone know if there is
research to use SAML and Kerberos together (SAML as the PAC data)?

Christopher Nebergall


-----Original Message-----
From: Digant Kasundra [mailto:digant at uta.edu] 
Sent: Wednesday, June 02, 2004 4:25 PM
To: bart.w.jenkins; kerberos at mit.edu
Subject: RE: RBAC and Kerberos?

In a core enterprise IT, you have 2 "systems": AuthN (authentication)
and
AuthZ (authorization).  Kerberos fits in best as an AuthN system.  It
can
very easily tie into LDAP which can support your AuthZ needs.

-- DK


> -----Original Message-----
> From: kerberos-bounces at MIT.EDU 
> [mailto:kerberos-bounces at MIT.EDU] On Behalf Of bart.w.jenkins
> Sent: Wednesday, June 02, 2004 1:12 PM
> To: kerberos at MIT.EDU
> Subject: RBAC and Kerberos?
> 
> 
> All,
> I would love to use MIT's Kerberos, but it looks as though it 
> can NOT do Role Based Access Control (RBAC) out of the box.  
> It seems that MIT's Kerberos stores only principals and knows 
> nothing about any roles those principals might or might not 
> have.  For any particular user, I would love to be able to 
> attach a list of roles that person plays.  For example, for 
> user Joe, I need to be able to say that principal Joe has 
> roles: Admin, Superuser or Manager or Supervisor, or 
> Team1Leader etc.  Then, when Joe authenticates to the KDC, if 
> both the principal (what Java JAAS calls the
> subject) could also return a list of roles (JAAS principals), 
> I could then do RBAC.  Microsoft had to add some separate 
> user-to-role database that is consulted when user's 
> authenticate in their Active Directory realm.  I would like 
> to not have to do this.  Does anyone know of a Kerberos 
> implementation that does RBAC and, BTW, works with Sun's JAAS 
> (Java security)?
> 
> I could just have user Kerberos principals and Role 
> principals, but then when someone logged in with a Role user 
> id, I would not know who the underlying user was.  It seems 
> that adding some Role attributes to the kerb principal would 
> help alot here.
> 
> Thanks
> 
> Bart
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list