> You could then have a Kerberos authorisation data plugin on the service that does gss_import_name(GSS_C_NT_COMPOSITE_EXPORT) and forwards get_name_attribute() appropriately. This is conceptually quite elegant. The authorisation data plugins would be simpler than the SAML one, because they don't need to deal with third-party trust (i.e. this authorisation data type would always be issued by the KDC).
The less elegant bit is that you now have two differently layered ways to represent an assertion in authorisation data, which could create interoperability issues. As with all layered abstractions, sometimes you want to poke a big hole in them!
-- Luke
|