Painless Security

One question we often get asked is how do Kerberos and SAML fit
together. At the IETF 69 in July, we got a group of interested people
together to discuss that question. Leif Johansson organized an
informal session to scope out the demand for interoperability between Kerberos and SAML. At that session, we identified three areas where work is needed:

1. Determining level of assurance for Kerberos authentication. SAML has a rich description of what forms of authentication and what context that authentication is in. There is a desire to reuse this facility for Kerberos.
2. Standardized description of authorizations. Proprietary platforms like Active Directory have platform-specific mechanisms for describing authorization. It is hoped that SAML may proved a solution for a standards-based platform-independent way to describe authorization.
3. If a n application uses the SAML Web SSO profile, it is difficult to get from that profile to Kerberos tickets for use in backend applications. There is a desire to work on a standardized solution to this problem.

A summary of the meeting is here
A mailing list has been organized to develop these use cases and if there is sufficient interest attempt to form an IETF working group to produce standards in this space.

This entry was posted on Friday, September 14th, 2007 at 10:56 pm by hartmans and is filed under Standards. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.