shibboleth-dev - RE: Keberos redirection at WAYF
Subject: Shibboleth Developers
List archive
- From: "caleb racey" <>
- To: <>
- Subject: RE: Keberos redirection at WAYF
- Date: Mon, 27 Mar 2006 17:35:58 +0100
Hi josh
That is very interesting work
We would certainly be interested in any further info or developments.
We have produced guides for shib + Pubcookie + kerb against Active directory
see the kerb section of
http://iamsect.ncl.ac.uk/deliverables/docs/pubcookie_install/ar01s02.html#id2529665
We did have problems upgrading to using AD 2003 from 2000 as it changes when
it uses TCP instead of UDP to represent large tickets (produced when the user
is in many groups or has a large domain) and this bafflesx most default unix
kerb clients, we also had problems with the default enctype chewing up 8 bit
characters like "£" in passwords.
We would be more than happy to test these issues on the wayf, do you have any
docs on how to configure "Kerberos cross-realm trust must exist between each
IdP and the WAYF"
>-----Original Message-----
>From: Josh Howlett
>[mailto:]
>Sent: 27 March 2006 13:59
>To:
>;
>
>
>Subject: Keberos redirection at WAYF
>
>Hi folks,
>
>I've recently added experimental Kerberos (Negotiate) redirection
>support to SWITCH's excellent WAYF implementation.
>
>http://www.switch.ch/aai/wayf/
>
>The WAYF detects whether the browser support Kerberos authentication; if
>so, it attempts to match the principal's Kerberos realm against known
>realms listed in the Federation metadata. If it finds a match, it
>automatically redirects the browser to the IdP's SSO server. If the
>browser does not support Negotiate, or does not find a match, it falls
>back to the web GUI.
>
>This is an experiment in two things:
>
>1. Try to improve the user experience
>
>If the IdP's SSO server also supports Negotiate, then the user
>experience is seamless: the browser is automatically redirected from SP
>to WAYF to IdP and back to SP without *any* user interaction.
>
>2. Try to increase scalability of federations
>
>The chances of a user incorrectly selecting the wrong IdP increases as
>the federation grows in size. Kerberos redirection takes the
>IdP-selection decision out of users' hands.
>
>The patch requires a Negotiate enabled web server; it has been tested
>with Apache 2 and mod_auth_kerb running on RHEL4, a Windows 2000 KDC,
>and IE5+ (Windows) and Firefox (Windows, Linux). The browser must be
>configured to permit Negotiate authentication against the WAYF. A
>Kerberos cross-realm trust must exist between each IdP and the WAYF
>(however, note that no Kerberos trusts are required between IdPs!). A
>mix of Kerberised and non-Kerberised IdPs is fine.
>
>Please note that this has not yet been tested on any significant scale,
>caveat emptor.
>
>If you have any queries or suggestions, please drop me a line.
>
>Thanks to Luke Haemmerle @ SWITCH incorporating the patch.
>
>best regards, josh.
- Keberos redirection at WAYF, Josh Howlett, 03/27/2006
- <Possible follow-up(s)>
- RE: Keberos redirection at WAYF, caleb racey, 03/27/2006
- Re: Keberos redirection at WAYF, Josh Howlett, 03/27/2006
Archive powered by MHonArc 2.6.16.