IETF 64 – GSS and SAML

Due to very limited internet connection, I have to be brief. Here are some of the result of my trip to IETF 64:

  • There is definitively a fairly broad interest in using SAML within the GSS-API framework.

  • A small group is currently discussing feasibility and scope of such a approach

Originally, we proposed three major modes of combining SAML with GSS:

  • An internal decoration approach: SAML assertions could be used WITHIN existing mechanisms (such as e.g. Kerberos) to carry addtional attributes associated with the principal.

  • An external decoration approach: Similar, but instead of using pre-existing extension points, use the stackable mechnism approach instead (see, kitten WG). This approach would have the clear benefit of being composable with mechnisms that do not have extension points (e.g. Username/Password).

  • A native mechnanism: A SAML AuthN statement is exclusively used. While – IMHO – most promising, this approch will be technically most challenging: first, there is no key exchange defined, second, the only crypto related XML standards (XMLDSig, XMLEnc) are – at best – poor

I will post more after XML 2005.

Leave a Reply

Your email address will not be published. Required fields are marked *