Thoughts on a Kerberos based open-authorization architecture.
Nicolas Williams
Nicolas.Williams at sun.com
Mon Mar 6 15:42:51 EST 2006
On Mon, Mar 06, 2006 at 12:26:50PM -0800, Henry B. Hotz wrote:
>
> On Mar 4, 2006, at 9:03 AM, krbdev-request at mit.edu wrote:
>
> > Date: Fri, 3 Mar 2006 13:51:10 -0600
> > From: greg at enjellic.com
> > Subject: Thoughts on a Kerberos based open-authorization architecture.
> > To: krbdev at mit.edu
>
> Just a thought on getting all this accepted: Can we wrap all this up
> so it supports SOA and SAML? Those are hot buzzwords at the moment
> here.
So, there's an e-mail list about shoving SAML into and/or around
Kerberos V and/or making a native GSS-API mechanism (and credentials)
out of SAML 2.0+:
https://mailman1.u.washington.edu/mailman/listinfo/saml-mechanism
The approaches being considered are:
- decorate on the inside (shove SAML goo into krb5 authorization-data)
- decorate on the outside (a GSS-API stackable mechanism that uses an
underlying mechanism for basic authentication and session protection
facilities to securely exchange SAML goo [e.g., assertions,
artifacts, etc...])
- native GSS-API mechanism (use XMLend/XMLdsig/whatever and SAML to
create a SAML credential and handle authentication and key exchange
in addition to exchangeing SAML assertions, etc...)
> Anyone know of any open implementations of SOAP/WS-SECURITY Kerberos
> tokens? I have two groups here, one will go Java, and the other will
> go Perl.
Whenever I look at the OASIS WS-Security Kerberos V Token Profile my
head hurts.
Nico
--
More information about the krbdev
mailing list