logo_kerberos.gif

Projects/KerberosInSAML

From K5Wiki
< Projects
Revision as of 10:53, 3 September 2009 by Lukeh (talk | contribs) (Architecture)

Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.



Background

Extend S4U2Self to permit the issuing a Kerberos ticket to a service given a SAML assertion for that service. The resulting ticket can be used with constrained delgation to delegate to other services.

Architecture

Protocol

PA-S4U-SAML-USER::= SEQUENCE { 

  user-id[0] S4UUserID, 
  checksum[1] Checksum,

}

S4UUserID ::= SEQUENCE { 

  nonce [0] INTEGER, -- the nonce in KDC-REQ-BODY 
  cname [1] PrincipalName OPTIONAL,  
                -- Assertion mapping hints 
  crealm [2] Realm, 
  saml-assertion [3] OCTET STRING OPTIONAL,  
  options [4] BIT STRING OPTIONAL...

}

The ASN.1 encoding is identical to PA-S4U-X509-USER and we anticipate the same encoding routines can be used.

Implementation

Open issues

Status

Retrieved from "https://k5wiki.kerberos.org./wiki?title=Projects/KerberosInSAML&oldid=2327"