Resurrecting SAMLInKerberos branch

Luke Howard lukeh at
Thu Mar 31 08:37:40 EDT 2011

Apologies for the cross-posting.

Back in 2009 I did some work on supporting SAML in Kerberos authorisation data  (

Anyway, after the recent work with Moonshot, I thought it might be fun to resurrect this. Forward-porting it to trunk was not too difficult, but I took this opportunity to surface SAML attributes via the new Shibboleth resolver, rather than exposing the raw SAML. (The GSS EAP mechanism exposes both, but for reasons of expediency I chose to do only the former in the Kerberos case.) The resolver allows one to filter the SAML attributes through some local policy.

So, running the sample gss-server app, one might see:

Attribute local-login-user Authenticated 

Attribute local-login-shell Authenticated 

Attribute cn Authenticated 
Luke Howard

Put this together with:

* a GSS naming extensions ACL plugin for OpenLDAP
* a SASL GS2 bridge that dynamically advertises available GSS mechanisms (and allows the initiator's GSS name to be surfaced through the SASL context)
* patches to MIT and Heimdal that offer "gss_userok" on top of naming extensions, used by OpenSSH (cf. "local-login-user" above)
* other mechanisms supporting surfacing SAML attributes via naming extensions

and you can start to do some pretty interesting things with not a lot of code.

The code is in the users/lhoward/saml2 branch. There's still a bit of dead code that needs pruning there. The interesting stuff is in src/plugins/authdata/saml_{client,server}.


-- Luke

More information about the krbdev mailing list