Hi Marcel,
in addition to those drafts, we also have a paper published
http://www.sciencedirect.com/science/article/pii/S092054891100016X.
This paper describes the background work we did before defining the
GSS-API pre-authentication model. It also analyses other approaches
that might result interesting to you.
Best regards,
Alejandro
El 31/07/13 11:54, Marcel Poul
escribió:
[log in to unmask]" type="cite">Hi
Alejandro,
Thanks for the info. I can see your work is pretty close to ours.
If I understand well, you have KDC running in the organization
with the service the peer wants to access to? It solves SSO in the
given organization and reauth.
Our approach is somewhat complementary to yours. We want to run
KDC at the peer's home org. and provide the Service (or peer,
depending on the usecase) with the TGT to achieve cross-org.
delegation (/SSO). Your work, I am sure,will be good source of
information for me.
Regards,
Marcel
On 07/29/2013 12:59 PM, Alejandro Perez Mendez wrote:
Hi Marcel,
As commented by Josh, we have been working on a Kerberos
pre-authentication mechanism based on GSS-API and EAP. You can
see it as
we have made the KDC to become into a Moonshot Relying Party,
using the
AAA-based federation to authenticate end users. Once the end
user has
been pre-authenticated, the KDC provides him with a standard
TGT, which
can be used within KDC's organization to access different
application
servers.
You may want to check
http://tools.ietf.org/html/draft-perez-krb-wg-gss-preauth-02 and
http://tools.ietf.org/html/draft-perez-abfab-eap-gss-preauth-01
for
further information.
Regards,
Alejandro
El 29/07/13 11:26, Josh Howlett escribió:
Marcel,
You may also wish to review the work already done by the
University of
Murcia. It is not directly related to delegation, but they
have done a lot
of integration of the MIT KDC with EAP and RADIUS that might
be
instructive.
Josh.
On 28/07/2013 14:36, "Sam
Hartman"<[log in to unmask]> wrote:
"Marcel" == Marcel
Poul<[log in to unmask]> writes:
Marcel> Hi Sam, we wanted to use KDC via Freeradius
to send TGTs (or
Marcel> other tickets) to the client (for SSO).
OK.
I'd like to better understand your problem statement.
In general it seems that the peer and AAA server already
share a
credential. Kerberos might be an optimization, but I don't
understand
how tickets help a delegation situation where the peer is
involved since
the peer could just authenticate to the EAP server again.
So, I think I'm missing something about the approach and
probably about
what problem you're working toward solving.
Janet(UK) is a trading name of Jisc Collections and Janet
Limited, a
not-for-profit company which is registered in England under
No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No.
614944238