Thoughts on a Kerberos based open-authorization architecture.

Nicolas Williams Nicolas.Williams at
Mon Mar 6 15:42:51 EST 2006

On Mon, Mar 06, 2006 at 12:26:50PM -0800, Henry B. Hotz wrote:
> On Mar 4, 2006, at 9:03 AM, krbdev-request at wrote:
> > Date: Fri, 3 Mar 2006 13:51:10 -0600
> > From: greg at
> > Subject: Thoughts on a Kerberos based open-authorization architecture.
> > To: krbdev at
> Just a thought on getting all this accepted:  Can we wrap all this up  
> so it supports SOA and SAML?  Those are hot buzzwords at the moment  
> here.

So, there's an e-mail list about shoving SAML into and/or around
Kerberos V and/or making a native GSS-API mechanism (and credentials)
out of SAML 2.0+:

The approaches being considered are:

 - decorate on the inside (shove SAML goo into krb5 authorization-data)

 - decorate on the outside (a GSS-API stackable mechanism that uses an
   underlying mechanism for basic authentication and session protection
   facilities to securely exchange SAML goo [e.g., assertions,
   artifacts, etc...])

 - native GSS-API mechanism (use XMLend/XMLdsig/whatever and SAML to
   create a SAML credential and handle authentication and key exchange
   in addition to exchangeing SAML assertions, etc...)

> Anyone know of any open implementations of SOAP/WS-SECURITY Kerberos  
> tokens?  I have two groups here, one will go Java, and the other will  
> go Perl.

Whenever I look at the OASIS WS-Security Kerberos V Token Profile my
head hurts.


More information about the krbdev mailing list