Difference between revisions of "Projects/KerberosInSAML"
From K5Wiki
< Projects
(New page: {{project-early}} <includeonly>Category: early stage projects</includeonly> ==Background== Extend S4U2Self to permit the issuing a Kerberos ticket to a service given a SAML assertio...) |
(→Architecture) |
||
| Line 8: | Line 8: | ||
==Architecture== |
==Architecture== |
||
| + | |||
| + | ===Protocol=== |
||
| + | |||
| + | PA-S4U-SAML-USER::= SEQUENCE { |
||
| + | user-id[0] S4UUserID, |
||
| + | checksum[1] Checksum, |
||
| + | } |
||
| + | |||
| + | S4UUserID ::= SEQUENCE { |
||
| + | nonce [0] INTEGER, -- the nonce in KDC-REQ-BODY |
||
| + | cname [1] PrincipalName OPTIONAL, |
||
| + | -- Assertion mapping hints |
||
| + | crealm [2] Realm, |
||
| + | saml-assertion [3] OCTET STRING OPTIONAL, |
||
| + | options [4] BIT STRING OPTIONAL... |
||
| + | } |
||
| + | |||
| + | The ASN.1 encoding is identical to PA-S4U-X509-USER and we anticipate the same encoding routines can be used. |
||
==Implementation== |
==Implementation== |
||
Revision as of 11:53, 3 September 2009
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.
Background
Extend S4U2Self to permit the issuing a Kerberos ticket to a service given a SAML assertion for that service. The resulting ticket can be used with constrained delgation to delegate to other services.
Architecture
Protocol
PA-S4U-SAML-USER::= SEQUENCE {
user-id[0] S4UUserID, checksum[1] Checksum,
}
S4UUserID ::= SEQUENCE {
nonce [0] INTEGER, -- the nonce in KDC-REQ-BODY
cname [1] PrincipalName OPTIONAL,
-- Assertion mapping hints
crealm [2] Realm,
saml-assertion [3] OCTET STRING OPTIONAL,
options [4] BIT STRING OPTIONAL...
}
The ASN.1 encoding is identical to PA-S4U-X509-USER and we anticipate the same encoding routines can be used.
