...
- Specifications and information available here.
- An example use case is allowing printing service printer.example.com (the Consumer), to access private photos stored on photos.example.net (the Service Provider) without requiring Users to provide their photos.example.net credentials to printer.example.com.
- Does not prescribe or constrain the mechanism used by the Service Provider to authenticate the browser user.
- The Service Provider MAY need a GUI allowing the to identify which resources are being shared with the Consumer site.
- The Service Provider MUST have a GUI where the user approaves sharing the resources with the Consumer.
- oAuth COULD serve as a design model for a possible approach.
n-tier (no Browser Redirection)
Kerberos
- Equivalent functionality is currently available with CoSign and Stanford's WebAuth.
- Consequently, the issues and approaches are already known, but complex.
- Because of how kerberos is typically deployed, this approach is probably only relevant to intra-domain situations.
- Use Shibboleth to transport a Kerberos ticket to SP-A as an attribute; SP-A then presents the ticket to the backend service.
- This approach relies on Keberos' existing support for delegation; the ticket must already be a "delegated ticket".