Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos & SAML John Hughes, - PowerPoint PPT Presentation

Nov 12, 2023 •163 likes •239 views

Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos & SAML John Hughes, Entegrity Solutions Tim Alsop, CyberSafe Limited Current Document Progress Two documents : Generalised AuthnRequest Profiles Working Draft 02, 1st February 2004

Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos & SAML John Hughes, Entegrity Solutions Tim Alsop, CyberSafe Limited
Current Document Progress ● Two documents : ● Generalised AuthnRequest Profiles ● Working Draft 02, 1st February 2004 ● draft-sstc-solution-profile-kerberos-02 ● Kerberos SAML Profiles ● Working Draft 02, 1st February 2004 ● draft-sstc-solution-profile-kerberos-02
Initial Use Cases
Scope : draft-sstc-solution-profile-kerberos-?? ● Provide a secure and trusted mechanism to pass a user identity to the SAML Responder via the SAML Service so that an artifact or assertion can be returned using the authenticated identity of the user. ● Provide a secure and trusted mechanism to allow the SAML Service to communicate with the SAML Responder; ● Provide secure sessions (e.g. mutual authentication, data integrity, confidentiality, channel binding, replay attack detection) between the authentication and authorisation related infrastructure components required for a SAML deployment; ● Implement a Single SignOn (“SSO”) experience for users - especially useful when the workstation and/or server operating systems have a Kerberos implementation available and multiple vendors operating systems are used; ● Take advantage of the credential delegation/forwarding capability in the Kerberos protocol to pass credentials securely from middle tier to back- end tier application and infrastructure components; ● Provide a secure approach for passing a SAML Assertion to an application that is Kerberos enabled.
DCE PAC Schema <?xml version='1.0' encoding='UTF-8' ?>  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="sstc-saml-schema-dce-pac-2.0-cs.xsd" > <xs:element name="ForeignGroup"> <xs:complexType> <xs:sequence> <xs:element name="Realm" type="string" minOccurs="1" maxOccurs="1"/> <xs:element name="GroupName" type="string" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
NameIdentifier Syntax ? 1) <saml:Subject> <saml:NameIdentifier NameQualifier="http://www.cybersafe.ltd.uk/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos"> talsop@CYBERSAFE.LTD.UK </saml:NameIdentifier> 2) <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:DCE" NameQualifier=“MyRealm">jhughes </saml:NameIdentifier>
Outstanding : ● Microsoft Kerberos PAC authorisation data mapping ● Binding Kerberos credentials to SAML Assertion – how/why ? ● More details on Kerberos/GSS-API bindings ● Take advantage of any existing Liberty, WSS, Microsoft Passport Kerberos related standards/drafts ● Future ● Site to Site (e.g. cross realm) trust ● Other …

Recommend

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides

Cooperatives, SSE and SSTC Anita Amorim Head of ESPU, PARDEV, ILO South South and Triangular

Cooperatives, SSE and SSTC Anita Amorim Head of ESPU, PARDEV, ILO South South and Triangular Cooperation (SSTC) Definition: Partnership among equals involving a learning process or exchange of expertise derived from effective

537 views • 22 slides

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides

OASIS SB Program Open Season On ramp Overview How to get on OASIS OASIS Program Management Office

U.S. General Services Administration OASIS SB Program Open Season On ramp Overview How to get on OASIS OASIS Program Management Office Slide Deck Version: July 10, 2018 1 OASIS and OASIS Small Business OASIS and OASIS Small Business (SB) are

763 views • 41 slides

Google<-SAML->Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Summer Webinar Series Google<-SAML->Zscaler Integration Dianne Dunlap (ddunlap@mcnc.org, 919-248-8439) Client Network Engineering Webinar Links: www.mcnc.org/cne-webinars Google<-SAML->Zscaler Integration Agenda n What is

899 views • 63 slides

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest / Hungary Agenda Education & Research Identity Federations SAML Terminology Overview of SAML auth call flow WebRTC Identity model

1.09k views • 52 slides

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides

SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline

Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline SAML 1.1 overview Abstract operations vs. SAML profile Abstract operations: changes since

165 views • 14 slides

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides

UBL Update Jon Bosak Sun Microsystems http:// oasis- open.org / OASIS Symposium on the

UBL Update Jon Bosak Sun Microsystems http:// oasis- open.org / OASIS Symposium on the committees/ ubl Future of XML Vocabularies New Orleans, 25 April 2005 The Universal Business Language (UBL) International effort to define a

632 views • 10 slides

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID Terminology OpenID OpenID OpenID Consumer Identity Provider SAML 2.0 Terminology SAML 2.0 SAML 2.0 Service Provider Identity Provider What is

427 views • 16 slides

New Business Basics: Payroll Presented by Emily Palmquist with Oasis Outsourcing 1 OUR MISSION

New Business Basics: Payroll Presented by Emily Palmquist with Oasis Outsourcing 1 OUR MISSION A recognized 501c(3) nonprofit organization founded and operated by Veterans in 2004 Missouri * Iowa * Kansas * Nebraska To train, mentor, and

430 views • 18 slides

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

667 views • 20 slides

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides

Web Services Reliability Options A Comparison of Web Services Reliable Messaging Specifications

Web Services Reliability Options A Comparison of Web Services Reliable Messaging Specifications OASIS WSRM TC May 7, 2004 Acknowledgements We thank the OASIS board of directors for this opportunity to respond to the IBM presentation made

365 views • 22 slides

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

11/27/17 Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27, 2017 Sprenkle - CSCI325 1 Kerberos Trusted third party, runs by default on port 88 Security objects: Ticket: token, verifying

407 views • 30 slides

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl eans Projet SDS - LIFO et ENSI de Bourges nicolas.greneche@univ-orleans.fr 11/07/2011 Sommaire Pourquoi Kerberos ? 1 Les acteurs 2 Le

497 views • 22 slides