Hi Alejandro,
Thanks for the info. I can see your work is pretty close to ours. If I
understand well, you have KDC running in the organization with the
service the peer wants to access to? It solves SSO in the given
organization and reauth.
Our approach is somewhat complementary to yours. We want to run KDC at
the peer's home org. and provide the Service (or peer, depending on the
usecase) with the TGT to achieve cross-org. delegation (/SSO). Your
work, I am sure,will be good source of information for me.
Regards,
Marcel
On 07/29/2013 12:59 PM, Alejandro Perez Mendez wrote:
> Hi Marcel,
>
> As commented by Josh, we have been working on a Kerberos
> pre-authentication mechanism based on GSS-API and EAP. You can see it as
> we have made the KDC to become into a Moonshot Relying Party, using the
> AAA-based federation to authenticate end users. Once the end user has
> been pre-authenticated, the KDC provides him with a standard TGT, which
> can be used within KDC's organization to access different application
> servers.
>
> You may want to check
> http://tools.ietf.org/html/draft-perez-krb-wg-gss-preauth-02 and
> http://tools.ietf.org/html/draft-perez-abfab-eap-gss-preauth-01 for
> further information.
>
>
> Regards,
> Alejandro
>
> El 29/07/13 11:26, Josh Howlett escribió:
>> Marcel,
>>
>> You may also wish to review the work already done by the University of
>> Murcia. It is not directly related to delegation, but they have done a lot
>> of integration of the MIT KDC with EAP and RADIUS that might be
>> instructive.
>>
>> Josh.
>>
>> On 28/07/2013 14:36, "Sam Hartman"<[log in to unmask]> wrote:
>>
>>>>>>>> "Marcel" == Marcel Poul<[log in to unmask]> writes:
>>> Marcel> Hi Sam, we wanted to use KDC via Freeradius to send TGTs (or
>>> Marcel> other tickets) to the client (for SSO).
>>>
>>> OK.
>>> I'd like to better understand your problem statement.
>>> In general it seems that the peer and AAA server already share a
>>> credential. Kerberos might be an optimization, but I don't understand
>>> how tickets help a delegation situation where the peer is involved since
>>> the peer could just authenticate to the EAP server again.
>>>
>>> So, I think I'm missing something about the approach and probably about
>>> what problem you're working toward solving.
>>
>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>> not-for-profit company which is registered in England under No. 2881024
>> and whose Registered Office is at Lumen House, Library Avenue,
>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
|