logo_kerberos.gif

Difference between revisions of "Projects/KerberosInSAML"

From K5Wiki
Jump to: navigation, search
(Architecture)
(Protocol)
Line 11: Line 11:
 
===Protocol===
 
===Protocol===
   
  +
<pre>
 
PA-S4U-SAML-USER::= SEQUENCE {
 
PA-S4U-SAML-USER::= SEQUENCE {
 
user-id[0] S4UUserID,
 
user-id[0] S4UUserID,
Line 24: Line 25:
 
options [4] BIT STRING OPTIONAL...
 
options [4] BIT STRING OPTIONAL...
 
}
 
}
  +
</pre>
   
The ASN.1 encoding is identical to PA-S4U-X509-USER and we anticipate the same encoding routines can be used.
+
The ASN.1 encoding is identical to PA-S4U-X509-USER.
   
 
==Implementation==
 
==Implementation==

Revision as of 10:53, 3 September 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.



Background

Extend S4U2Self to permit the issuing a Kerberos ticket to a service given a SAML assertion for that service. The resulting ticket can be used with constrained delgation to delegate to other services.

Architecture

Protocol

PA-S4U-SAML-USER::= SEQUENCE { 
   user-id[0] S4UUserID, 
   checksum[1] Checksum,               
} 
 
S4UUserID ::= SEQUENCE { 
   nonce [0] INTEGER, -- the nonce in KDC-REQ-BODY 
   cname [1] PrincipalName OPTIONAL,  
                 -- Assertion mapping hints 
   crealm [2] Realm, 
   saml-assertion [3] OCTET STRING OPTIONAL,  
   options [4] BIT STRING OPTIONAL... 
} 

The ASN.1 encoding is identical to PA-S4U-X509-USER.

Implementation

Open issues

Status