Difference between revisions of "Projects/KerberosInSAML"
From K5Wiki
< Projects
(→Protocol) |
|||
| Line 5: | Line 5: | ||
==Background== |
==Background== |
||
| − | Extend S4U2Self to permit the issuing a Kerberos ticket to a service given a SAML assertion for that service. The resulting ticket can be used with constrained delgation to delegate to other services. |
||
| + | Specify and implement a means for embedding Kerberos tickets in SAML assertions. |
||
==Architecture== |
==Architecture== |
||
| − | |||
| − | ===Protocol=== |
||
| − | |||
| − | <pre> |
||
| − | PA-S4U-SAML-USER::= SEQUENCE { |
||
| − | user-id[0] S4UUserID, |
||
| − | checksum[1] Checksum, |
||
| − | } |
||
| − | |||
| − | S4UUserID ::= SEQUENCE { |
||
| − | nonce [0] INTEGER, -- the nonce in KDC-REQ-BODY |
||
| − | cname [1] PrincipalName OPTIONAL, |
||
| − | -- Assertion mapping hints |
||
| − | crealm [2] Realm, |
||
| − | saml-assertion [3] OCTET STRING OPTIONAL, |
||
| − | options [4] BIT STRING OPTIONAL... |
||
| − | } |
||
| − | </pre> |
||
| − | |||
| − | The ASN.1 encoding is identical to PA-S4U-X509-USER, however we will use a different padata type to avoid conflicts with [MS-SFU]. |
||
==Implementation== |
==Implementation== |
||
Revision as of 04:00, 27 October 2009
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.
Background
Specify and implement a means for embedding Kerberos tickets in SAML assertions.
