Resurrecting SAMLInKerberos branch

[Luke Howard]

Apologies for the cross-posting.

Back in 2009 I did some work on supporting SAML in Kerberos authorisation data  (http://k5wiki.kerberos.org/wiki/Projects/SAMLInKerberos).

Anyway, after the recent work with Moonshot, I thought it might be fun to resurrect this. Forward-porting it to trunk was not too difficult, but I took this opportunity to surface SAML attributes via the new Shibboleth resolver, rather than exposing the raw SAML. (The GSS EAP mechanism exposes both, but for reasons of expediency I chose to do only the former in the Kerberos case.) The resolver allows one to filter the SAML attributes through some local policy.

So, running the sample gss-server app, one might see:

Attribute local-login-user Authenticated 
lukeh
6c756b6568

Attribute local-login-shell Authenticated 
/bin/tcsh
2f62696e2f74637368

Attribute cn Authenticated 
Luke Howard
4c756b6520486f77617264

Put this together with:

* a GSS naming extensions ACL plugin for OpenLDAP
* a SASL GS2 bridge that dynamically advertises available GSS mechanisms (and allows the initiator's GSS name to be surfaced through the SASL context)
* patches to MIT and Heimdal that offer "gss_userok" on top of naming extensions, used by OpenSSH (cf. "local-login-user" above)
* other mechanisms supporting surfacing SAML attributes via naming extensions

and you can start to do some pretty interesting things with not a lot of code.

The code is in the users/lhoward/saml2 branch. There's still a bit of dead code that needs pruning there. The interesting stuff is in src/plugins/authdata/saml_{client,server}.

regards,

-- Luke