[16735] in Kerberos_V5_Development
Resurrecting SAMLInKerberos branch
daemon@ATHENA.MIT.EDU (Luke Howard)
Thu Mar 31 08:37:56 2011
From: Luke Howard <lukeh@padl.com>
Date: Thu, 31 Mar 2011 23:37:40 +1100
Message-Id: <B7040FE3-2B35-469F-A343-0C0C7334F14D@padl.com>
To: krbdev@mit.edu,
Moonshot community list <MOONSHOT-COMMUNITY@JISCMAIL.AC.UK>
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Apologies for the cross-posting.
Back in 2009 I did some work on supporting SAML in Kerberos authorisation data (http://k5wiki.kerberos.org/wiki/Projects/SAMLInKerberos).
Anyway, after the recent work with Moonshot, I thought it might be fun to resurrect this. Forward-porting it to trunk was not too difficult, but I took this opportunity to surface SAML attributes via the new Shibboleth resolver, rather than exposing the raw SAML. (The GSS EAP mechanism exposes both, but for reasons of expediency I chose to do only the former in the Kerberos case.) The resolver allows one to filter the SAML attributes through some local policy.
So, running the sample gss-server app, one might see:
Attribute local-login-user Authenticated
lukeh
6c756b6568
Attribute local-login-shell Authenticated
/bin/tcsh
2f62696e2f74637368
Attribute cn Authenticated
Luke Howard
4c756b6520486f77617264
Put this together with:
* a GSS naming extensions ACL plugin for OpenLDAP
* a SASL GS2 bridge that dynamically advertises available GSS mechanisms (and allows the initiator's GSS name to be surfaced through the SASL context)
* patches to MIT and Heimdal that offer "gss_userok" on top of naming extensions, used by OpenSSH (cf. "local-login-user" above)
* other mechanisms supporting surfacing SAML attributes via naming extensions
and you can start to do some pretty interesting things with not a lot of code.
The code is in the users/lhoward/saml2 branch. There's still a bit of dead code that needs pruning there. The interesting stuff is in src/plugins/authdata/saml_{client,server}.
regards,
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
