...
n-tier (no Browser Redirection)
Kerberos
- This discussion has been dormant for some time; info available here.
- Equivalent functionality is currently available with CoSign and Stanford's WebAuth.
- Consequently, the issues and approaches are already known, but complex.
- Because of how Kerberos is typically deployed, this approach is probably only relevant to intra-domain situations.
- Use Shibboleth to transport a Kerberos ticket to SP-A as an attribute; SP-A then presents the ticket to the backend service.
- No constraints on the protocol stacks SP-A uses to communicate with the backend.
- This approach relies on Kerberos' existing support for delegation; the ticket must already be a "delegated ticket".
...
- Not Browser based.
- Flow originates at the client (no Authn Request from the SP).
- Client contacts IdP over SOAP, requests Assertions for specific SP.
- Client authenticates to IdP with Cardspace? As defined by ECP ?
- Client POSTs the Assertions to the SP (this is the first interaction with the SP)
- SP Validates the Assertions (what does it check? holder-of-key ?)
- SP returns a cookie to the client.
NOTE -- this is NOT Web Services Security -- itis NOT using SOAP message security or the WS stack.
- As described, this is not yet n-tier. However, with a bit of recursion, it could be:
- Extend the IdP with a new endpoint that could "update" the presented token (similar in concept to the idea in Scott's original Delegated Credentials Profile)
- Embed a client in the mid-tier; have it present the received Assertion to the IdP for "updating".
- Modify the SP implementaiton to recognize tht an Assertion contains a second Subject (meaning a delegated Assertion).