shibboleth-dev - Re: authentication authority
Subject: Shibboleth Developers
List archive
- From: Von Welch <>
- To:
- Cc: "'Tom Scavo'" <>
- Subject: Re: authentication authority
- Date: Fri, 7 Oct 2005 08:11:27 -0500
On Oct 6, 2005, at 10:30 AM, Scott Cantor wrote:
It seems like what you're really trying to do is address a pair of issues,
and I think inventing a new protocol to get an authentication assertion and
sticking that in a certificate is probably overkill for both.
You seem to be aiming at:
- supporting pseudonymity using transient subject names
- getting a subject name into the certificate that will be understood by the
SAML authority later
Those goals are separable, of course.
Agreed. Mostly I'm concerned with the second.
One way of doing this that solves both issues is essentially what the
LionShare CA does, using the self-encrypted handle generator to build an ID
at the CA that can be decrypted by the SAML authority. Personally, I think
that's the easiest solution.
My issue with this approach, if I understand the mechanics correctly, and this is purely an issue with today's implementations - is that the Shib AA demuxes on the Format attribute to call the appropriate namemapper plugin. Since the encrypted handle approach shares with the default Shib Handle, in practice this means a Shib IdP can do one or the other. Meaning if we go this route, folks have to use a non- default IdP configuration (encrypted vs regular handles).
Now I understand from a technology perspective, it should all just work, but I'm concerned from a deployment perspective that if we tell folks, "you can use our stuff, you just have to change how your IdP does handles for all clients and SPs" they are very likely to go "yeah, right" and even if they do take this path, they end up in a murky backwoods of the community since it's not the Shibboleth default.
Alternatively, this seems more like a use case for the SAML 2
NameIdentifierMapping protocol, perhaps extended a bit. What you want isn't
an authentication assertion, you just want a NameID that is valid for a
particular principal in a particular format.
Yes, what I'm getting at is how does one bind two "Names", which may be different formats and/or domains, together. One way to do that is to put the Name that is meaningful to the AA into a X509 cert, essentially binding those two names.
You're right it doesn't have to be a full authn assertion, probably just subset of that XML.
Von
Then you can just put that name
in the certificate subject.
-- Scott
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
- Re: authentication authority, RL 'Bob' Morgan, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Tom Scavo, 10/05/2005
- RE: authentication authority, Scott Cantor, 10/06/2005
- Re: authentication authority, Von Welch, 10/07/2005
- RE: authentication authority, Scott Cantor, 10/07/2005
- Re: authentication authority, Chad La Joie, 10/07/2005
- Re: authentication authority, Von Welch, 10/09/2005
- Re: authentication authority, Von Welch, 10/07/2005
- Re: authentication authority, Tom Scavo, 10/08/2005
- Re: authentication authority, Scott Cantor, 10/08/2005
- Re: authentication authority, Tom Scavo, 10/10/2005
- RE: authentication authority, Scott Cantor, 10/10/2005
- Re: authentication authority, Tom Scavo, 10/12/2005
- RE: authentication authority, Scott Cantor, 10/13/2005
- Re: authentication authority, Tom Scavo, 10/13/2005
- RE: authentication authority, Scott Cantor, 10/06/2005
- Re: authentication authority, Tom Scavo, 10/05/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
- Re: authentication authority, Von Welch, 10/04/2005
- RE: authentication authority, Scott Cantor, 10/04/2005
Archive powered by MHonArc 2.6.16.