Status: Work in progress
Introduction: Kerberos Tickets for Middle Tiers
Many non- (or pre-) SAML web signon systems (Stanford WebAuth, Duke WebAuth, Pubcookie, CoSign) support authentication requirements of three-tier configurations using Kerberos. In a typical setup a user signs on to a web-based application server, such as a webmail server; the webmail server needs to access the user's mail store, which requires Kerberos authentication as the user. The web signon system provides a Kerberos credential for the user to the application server in some fashion, alongside the regular user SSO mechanism, so the application server can access the backend resource (the user's mail store in the webmail case) as the user.
It is useful to provide a similar mechanism in Shibboleth both to the meet the needs of Shib-only sites wanting to use Kerberos at middle tiers, and to meet the needs of sites that want to switch from other web SSOs. As with other Shibboleth protocol proposals, it is attractive to design this mechanism to be a credible SAML standard profile, so that other implementations could confidently implement it.
This section contains a list of potential desirable features, in no particular order or priority. Also, some features may conflict with other features. Advocates for particular features are encouraged to provide expanded descriptions as appropriate.
Work with existing SAML protocol messages (as opposed to requiring new ones).
Work with unmodified KDCs, including all popular ones (at least MIT, Heimdal, Microsoft Active Directory).
Protect against common threats (theft, replay) in all Shib-supported SAML profiles (artifact, POST, attribute pull and push).
Provide control over which middle tiers are able to get Kerberos tickets, for which services.
Deliver Kerberos tickets to middle tiers that are for the named backend services they need to access. Handle cases where the name of the backend server depends on the user or some other runtime factor.
Support SSO so the user doesn't have to re-enter username/password when going to a new middle-tier service that requires Kerberos tickets.
Make Kerberos tickets/keys available to middle-tier apps in ways that are easy/natural for those apps to use.
Work in load-balanced/replicated environments, both on the Shib IdP side and on the middle-tier/webapp side.
Support cases where user initial authentication to the Shib IdP is not via username/password (eg Kerberos, certificate).
Support user notification and control over whether a Kerberos ticket is made available to a middle-tier, with always/one-time/never options.
Support constrained delegation scenarios, where Kerberos ticket given to middle tier is limited in what it can be used for.
Support user- and/or administrator-initiated destruction of Kerberos tickets held by middle tiers.
Work in multi-realm/cross-realm Kerberos deployments.
Work in many SAML-assertion-carrying protocol scenarios: SAML 2.0, SAML 1.1, WS-Federation, Information Cards.
Provide a framework that will support token types other than Kerberos.