Re: Kerberized authorization service - Kerberos

This is a discussion on Re: Kerberized authorization service - Kerberos ; >Recently, I had a couple of my student employees work up a >proof-of-concept using SAML (with a kerb auth as part of the payload) >as the protocol -- since SAML seems like a more likely future direction >for a standardized ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Kerberized authorization service

  1. Re: Kerberized authorization service

    >Recently, I had a couple of my student employees work up a
    >proof-of-concept using SAML (with a kerb auth as part of the payload)
    >as the protocol -- since SAML seems like a more likely future direction
    >for a standardized auth protocol than something I threw together one
    >night in 1990


    I am not that sure, actually. Every time I look at SAML, I re-remember
    my biggest issue with it - the spec is frickin' huge (379 pages for all
    of the documents for SAML 2.0). Also, it's rather "webby" ... I mean,
    the protocol is based on HTTP? You need an XML library? And it seems
    that you probably need SOAP in there as well. Every example I've seen
    of it clearly is web-oriented. I guess I see the advantage to using
    it when you have an already-bloated web server, but cramming all of
    that into sshd? Ugh.

    Okay, you'll bring up points about code reuse, complying with a
    standard, having someone else design the protocol, etc etc ... yeah, I
    don't disagree with you on all that. But it just seems like a whole
    mess of baggage you're getting when a home-grown protocol will be
    simpler to understand, easier to maintain, and overall less work.

    --Ken

  2. Re: Kerberized authorization service


    Ken Hornstein writes:
    > I am not that sure, actually. Every time I look at SAML, I re-remember
    > my biggest issue with it - the spec is frickin' huge (379 pages for all
    > of the documents for SAML 2.0). Also, it's rather "webby" ... I mean,
    > the protocol is based on HTTP? You need an XML library? And it seems
    > that you probably need SOAP in there as well. Every example I've seen
    > of it clearly is web-oriented. I guess I see the advantage to using
    > it when you have an already-bloated web server, but cramming all of
    > that into sshd? Ugh.


    i remember sitting in on an early vendor SAML presentation about
    implementation/deployment for coalition forces.

    at the end, i went up to talk to the person doing the presentation (cto
    or some other person from the vendor) and commented that the message
    flows looked exactly like cross-domain kerberos (except using SAML
    formated messages). after some further discussion, he conceded that
    there are only so many ways that such a thing could be accomplished.

    kerberos was done in project athena at mit with equal funding by two
    computer companies (there were two project athena assistant directors,
    one from each vendor). somewhat as a result we would get to periodically
    go by and review what was going on. one week we were there, got to
    participate in early design sessions for cross-domain kerberos.

    one of the assistant directors i had worked at with at the science
    center ... at the time of project athena was down the street ... but
    earlier had been at 545 tech sq ... misc. past references
    http://www.garlic.com/~lynn/subtopic.html#545tech

    for other topic drift ... gml had been invented at the science center in
    1969 and subsequently morphed into sgml, html, xml, and saml. misc.
    past references
    http://www.garlic.com/~lynn/subtopic.html#sgml

    and for even more topic drift ... misc. posts about kerberos
    and pk-init
    http://www.garlic.com/~lynn/subpubkey.html#kerberos

+ Reply to Thread