Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Wed, 11 Jul 2007, Chad La Joie wrote:

> I'm pretty much a Kerb noob, so maybe this is a silly question, but 
> isn't it the case that this feature would only be usable 
> intra-organizationally (unless you wanted to do realm trust 
> relationships)?  Not that such a limit makes this unworthy of pursuit, 
> but I just want to make sure I understand things correctly.

Right, the KDC (or KDCs?) that are issuing the tickets passed along by the 
IdP to the middle tier would have to be able to issue tickets consumable 
by the backend service.  In typical Kerberos usage today that would mean 
that both the backend service and the user would be principals in that one 
KDC.  Kerberos can certainly be set up in a multi-realm way, and some 
sites run that way (using AD mostly, probably).  I don't think this would 
have any impact on the proposed work, but I've added it as a desired 
feature.

 - RL "Bob"