Presence and IntComm WG

[Peter Saint-Andre <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/5/09 6:48 PM, Tom Scavo wrote:
> On Thu, Nov 5, 2009 at 6:50 PM, Rodney McDuff 
> <>
>  wrote:
>> 1) create a SP which  once  a user is authenticated  creates a one-time
>> password and inserts it into the xmpp server database for that user and
>> downloads to the user a modified JNLP file with the one time password
>> and JID in it to the user.
>> 2) modify the jeti application to get the one time password and JID from
>> the JNLP file and start up jeti pre-configured for the user with JID,
>> password (and other preferences?)
> 
> Ah, this is the same technique used by the GridShib CA. In this case,
> the downloaded Java code makes an X.509 certificate request to the CA,
> which issues a short-lived end entity certificate to the client. As a
> result, the client has an X.509 credential that it can use to
> authenticate to grid services. The credential is a standard X.509
> credential so it can be used for anything really (as long as the
> relying party trusts the GridShib CA of course).
> 
> An interesting twist is that the GridShib CA can bind a SAML assertion
> to the X.509 certificate. The SAML assertion can be the one obtained
> from the user's identity provider or a special assertion issued by the
> CA. The authentication context and user attributes in the X.509-bound
> SAML assertion can be used for access control at the relying party.

Have you thought about defining a mechanism for SASL authentication
using SAML credentials? Several folks have been working on that behind
the scenes and perhaps an I-D will emerge before too much longer...

Peter

- --
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrzj+8ACgkQNL8k5A2w/vw7aACg0hW9z51/R8EruMMZng6xeNlw
IZMAoJdKxxQOge4gUbPnpSOG+CW3aDob
=mDKz
-----END PGP SIGNATURE-----