DelegatedCredentials

Summary quote -- "People aren't interested in real security -- they just want something that looks like security."

 There are two categories of solutions -- those where the user's browser can be redirected from the SP to the backend site, and those where teh browser cannot be redirected to the backend site (and consequently the SP must forward the user credentials over some other channel).

 Browser Redirection

 oAuth

1. Specifications and information available here.
2. An example use case is allowing printing service printer.example.com (the Consumer), to access private photos stored on photos.example.net (the Service Provider) without requiring Users to provide their photos.example.net credentials to printer.example.com.
3. Does not prescribe or constrain the mechanism used by the Service Provider to authenticate the browser user.
4. The Service Provider MAY need a GUI allowing the to identify which resources are being shared with the Consumer site.
5. The Service Provider MUST have a GUI where the user approaves sharing the resources with the Consumer.
6. oAuth COULD serve as a design model for a possible approach.

n-tier (no Browser Redirection)

Kerberos

1. Equivalent functionality is currently available with CoSign and Stanford's WebAuth.
2. Consequently, the issues and approaches are already known, but complex.
3. Because of how kerberos is typically deployed, this approach is probably only relevant to intra-domain situations.
4. Use Shibboleth to transport a Kerberos ticket to SP-A as an attribute; SP-A then presents the ticket to the backend service.
5. This approach relies on Keberos' existing support for delegation; the ticket must already be a "delegated ticket".
6.