> Another possibility which has been discussed previously is to use EAP pre-auth, which the UMU folks have been experimenting with, composed with IAKERB. The KDC mints a TGT containing the SAML authdata from the AAA server, which it hands to the client via the service (which optionally may also provide a fast re-auth ticket).
Yes, in many respects this is much simpler than what I was proposing (notwithstanding the complexity of implementing EAP preauth).
Currently, the SAML KDC plugin does not insert the SAML authorisation data on an AS-REQ (based on the assumption that you issue SP-specific assertions in the SAML model). So it would be possbile for a pre-auth plugin to do this and they could play together nicely.
Alternatively the SAML and GSS preauthentication plugins could share a private interface through which the GSS initiator name (and thus access to the AAA assertion) would be available.
-- Luke
|