	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosign with multiple kerberos realms

To: Ben Poliakoff <benp@xxxxxxxx>
Subject: Re: cosign with multiple kerberos realms
From: Brett Lomas <b.lomas@xxxxxxxxxxxxxx>
Date: Fri, 11 Mar 2005 10:15:39 +1300
Cc: cosign-discuss <cosign-discuss@xxxxxxxxx>
In-reply-to: <20050310194743.GQ3816@tristero.reed.edu>
References: <20050310194743.GQ3816@tristero.reed.edu>

I don't believe it has.

Having said that most of the code will handle multiple realms already.
The only problem i could see with this how you handle an application
getting an incorrect kerberos ticket (in a realm it know nothing about).
e.g. a user chooses to authenticate to realm A and accesses web service
X which is part of realm B and get a kerberos ticket from the cosign
server for A. The possibly needs to be a mechanism for the webservers to
requests a ticket in a certain realm, and if not there get the user to
re-authenticate in that realm?? Unless you can build kerberos trust?
(not sure on this)

Brett

On Fri, 2005-03-11 at 08:47, Ben Poliakoff wrote:
> I haven't been able to find much info about how cosign might be able to
> work with multiple krb5 realms.
> 
> Googling about, I found a proposal:
> 
>     http://www.umich.edu/~umweb/software/cosign/media/proposal.rtf
> 
> ...that includes a bullet item:
> 
>     "User selects authentication type and Kerberos realm."
> 
> Has such functionality (login page featuring a drop down menu of
> realms) ever been implemented?
> 
> Ben

Follow-Ups:
- Re: cosign with multiple kerberos realms
  - From: Ben Poliakoff

References:
- cosign with multiple kerberos realms
  - From: Ben Poliakoff

Prev by Date: cosign with multiple kerberos realms
Next by Date: Re: cosign with multiple kerberos realms
Previous by thread: cosign with multiple kerberos realms
Next by thread: Re: cosign with multiple kerberos realms
Index(es):
- Date
- Thread