Shibboleth Developers

["caleb racey" <>]

Hi josh

That is very interesting work 

We would certainly be interested in any further info or developments.

We have produced guides for shib + Pubcookie + kerb against Active directory 
see the kerb section of  
http://iamsect.ncl.ac.uk/deliverables/docs/pubcookie_install/ar01s02.html#id2529665

We did have problems upgrading to using AD 2003 from 2000 as it changes when 
it uses TCP instead of UDP to represent large tickets (produced when the user 
is in many groups or has a large domain) and this bafflesx most default unix 
kerb clients, we also had problems  with the default enctype chewing up 8 bit 
characters like "£"  in passwords. 

We would be more than happy to test these issues on the wayf, do you have any 
docs on how to  configure "Kerberos cross-realm trust must exist between each 
IdP and the WAYF"


>-----Original Message-----
>From: Josh Howlett 
>[mailto:]
>Sent: 27 March 2006 13:59
>To: 
>;
> 
>
>Subject: Keberos redirection at WAYF
>
>Hi folks,
>
>I've recently added experimental Kerberos (Negotiate) redirection
>support to SWITCH's excellent WAYF implementation.
>
>http://www.switch.ch/aai/wayf/
>
>The WAYF detects whether the browser support Kerberos authentication; if
>so, it attempts to match the principal's Kerberos realm against known
>realms listed in the Federation metadata. If it finds a match, it
>automatically redirects the browser to the IdP's SSO server. If the
>browser does not support Negotiate, or does not find a match, it falls
>back to the web GUI.
>
>This is an experiment in two things:
>
>1. Try to improve the user experience
>
>If the IdP's SSO server also supports Negotiate, then the user
>experience is seamless: the browser is automatically redirected from SP
>to WAYF to IdP and back to SP without *any* user interaction.
>
>2. Try to increase scalability of federations
>
>The chances of a user incorrectly selecting the wrong IdP increases as
>the federation grows in size. Kerberos redirection takes the
>IdP-selection decision out of users' hands.
>
>The patch requires a Negotiate enabled web server; it has been tested
>with Apache 2 and mod_auth_kerb running on RHEL4, a Windows 2000 KDC,
>and IE5+ (Windows) and Firefox (Windows, Linux). The browser must be
>configured to permit Negotiate authentication against the WAYF. A
>Kerberos cross-realm trust must exist between each IdP and the WAYF
>(however, note that no Kerberos trusts are required between IdPs!). A
>mix of Kerberised and non-Kerberised IdPs is fine.
>
>Please note that this has not yet been tested on any significant scale,
>caveat emptor.
>
>If you have any queries or suggestions, please drop me a line.
>
>Thanks to Luke Haemmerle @ SWITCH incorporating the patch.
>
>best regards, josh.