logo_kerberos.gif

Difference between revisions of "Projects/KerberosInSAML"

From K5Wiki
Jump to: navigation, search
(Protocol)
Line 5: Line 5:
 
==Background==
 
==Background==
   
Extend S4U2Self to permit the issuing a Kerberos ticket to a service given a SAML assertion for that service. The resulting ticket can be used with constrained delgation to delegate to other services.
 
  +
Specify and implement a means for embedding Kerberos tickets in SAML assertions.
   
 
==Architecture==
 
==Architecture==
 
===Protocol===
 
 
<pre>
 
PA-S4U-SAML-USER::= SEQUENCE {
 
user-id[0] S4UUserID,
 
checksum[1] Checksum,
 
}
 
 
S4UUserID ::= SEQUENCE {
 
nonce [0] INTEGER, -- the nonce in KDC-REQ-BODY
 
cname [1] PrincipalName OPTIONAL,
 
-- Assertion mapping hints
 
crealm [2] Realm,
 
saml-assertion [3] OCTET STRING OPTIONAL,
 
options [4] BIT STRING OPTIONAL...
 
}
 
</pre>
 
 
The ASN.1 encoding is identical to PA-S4U-X509-USER, however we will use a different padata type to avoid conflicts with [MS-SFU].
 
   
 
==Implementation==
 
==Implementation==

Revision as of 04:00, 27 October 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.



Background

Specify and implement a means for embedding Kerberos tickets in SAML assertions.

Architecture

Implementation

Open issues

Status