Even if the wire interoperability
were easier than it is, the granularity suggested by
the concept of principal is too ?¬?ne to be practical across loosely
coupled business partners. Despite the limited extensibility beyond
corporate and business-to-business scenarios, the threeheaded
architecture (user, KDC, service) introduced by Kerberos
is an important step in the process that will eventually bring us
to truly portable identity. Fins are looking more and more similar
to legs at this point.
SAML
The Security Assertion Markup Language, or SAML, made its
appearance as the OASIS standard in 2002 but gained the most
momentum in 2003, with the rati?¬?cation of version 1.1 of the
speci?¬?cation. The current version of the speci?¬?cation, SAML
2.0, represents convergence with other technologies and extends
its original scope. For the sake of this section, we focus
mainly on SAML 1.1.
Kerberos works
very well in a local
network but does
not model well the
pluralism of authorities
on the Internet
The Babel of Cryptography 77
One of the main reasons for the emergence of SAML in the ?¬?rst
place was the pressing need of addressing cross-domain Web
single sign on. Single sign on, or SSO, can be de?¬?ned as the
capability of accessing multiple resources that require authentication
while requiring the user to go through the authentication
experience only once.
Pages:
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146