mace-opensaml-users - RE: Use SAML Assertion as Kerberos Ticket
Subject: OpenSAML user discussion
List archive
- From: "Scott Cantor" <>
- To: "'Derek Atkins'" <>, "'Pham Hoai Van'" <>
- Cc: <>
- Subject: RE: Use SAML Assertion as Kerberos Ticket
- Date: Wed, 23 Mar 2005 10:30:05 -0500
- Organization: The Ohio State University
> A SAML Assertion does not include a Shared Secret with which the
> holder of the assertion (the user) can assert real-time possession.
> In other words, generally the assertions are single-use (unlike
> Kerberos tickets which are multiple use) and you handwave around the
> potential attacks by using SSL and assuming that someone on the
> network can't grab your packets, read your assertion, and replay the
> message before the original message gets to the SP.
That's true in the browser profiler, not of SAML in general. SAML supports
subject confirmation via shared secret, there just aren't any common uses of
it at the moment. Public key confirmation is more common because the use
cases are often such that shared secrets don't scale.
It's not terribly hard to build something that looks a lot like a Kerberos
ticket using things like subject confirmation, audience conditions, etc.,
but it's not clear why you'd want to reinvent Kerberos. Particularly since
Kerberos at least *has* an API (even if it sucks) while with SAML you'd be
building the whole stack from scratch.
-- Scott
- Use SAML Assertion as Kerberos Ticket, Van Hoai, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Tom Scavo, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Pham Hoai Van, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Derek Atkins, 03/23/2005
- RE: Use SAML Assertion as Kerberos Ticket, Scott Cantor, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Tom Scavo, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Pham Hoai Van, 03/23/2005
- RE: Use SAML Assertion as Kerberos Ticket, Scott Cantor, 03/23/2005
- RE: Use SAML Assertion as Kerberos Ticket, Derek Atkins, 03/23/2005
- RE: Use SAML Assertion as Kerberos Ticket, Scott Cantor, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Derek Atkins, 03/23/2005
- RE: Use SAML Assertion as Kerberos Ticket, Scott Cantor, 03/23/2005
- RE: Use SAML Assertion as Kerberos Ticket, Derek Atkins, 03/23/2005
- RE: Use SAML Assertion as Kerberos Ticket, Scott Cantor, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Pham Hoai Van, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Derek Atkins, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Pham Hoai Van, 03/23/2005
- Re: Use SAML Assertion as Kerberos Ticket, Tom Scavo, 03/23/2005
Archive powered by MHonArc 2.6.16.