Arguably, the correct complement to GSS pre-authentication is an authorisation data type that contains an exported GSS composite name (i.e. including the attributes).
You could then have a Kerberos authorisation data plugin on the service that does gss_import_name(GSS_C_NT_COMPOSITE_EXPORT) and forwards get_name_attribute() appropriately. This is conceptually quite elegant. The authorisation data plugins would be simpler than the SAML one, because they don't need to deal with third-party trust (i.e. this authorisation data type would always be issued by the KDC).
And, although the implementation is quite different, there's no reason why the behaviour should be any different as far as the service is concerned: it would still see the same attributes.
-- Luke
|