Shibboleth Developers

["Scott Cantor" <>]

Moving all discussion of this document to shibboleth-dev...

> This suggests that the delegatable tokens (kerb service tickets) are
> available at step 3 when the user identifies them self to the IdP. Would
> it be possible to "hotwire" the process so that step 3 can feed any
> delegatable tokens into steps 4 and 7?

Sure, but that's not this use case. I'm not talking about transporting
tickets in SAML. That doesn't work in a federated scenario either, which is
a presumption of this document.

> I appreciate this is a pubcookie Kerberos specific example however I
> think it is likely that delegatable authentication tokens will be
> available at the login step rather than at the attribute aggregation
> step.

I think we're talking about different use cases. There's nothing in this
document that uses attributes to carry delegation tokens, the assertions are
the tokens.

We don't use Kerberos like that here so I'm not equipped to be writing up
profiles that pass around Kerberos tickets, I wouldn't know what I was
talking about. If somebody wants to do that, they're welcome to do so.

-- Scott