>>>>> "Luke" == Luke Howard <[email protected]> writes:
Luke> On 20/04/2012, at 6:08 PM, Sam Hartman wrote:
> The delegated credential handle coming out of gss_accept_sec_context
>> should include a credential element with the appropriate
>> delegation. As far as how you request the delegation, we don't
>> currently have a good story for that.
Luke> You can defer the delegation until you try to initiate a
Luke> security context with the delegated credential handle. That's
Luke> the design for S4U2Proxy in MIT (Nico's idea, not mine).
Luke> Or are you talking about something else... I guess this
Luke> doesn't work if you need to know you'll delegate at the time
Luke> of the initial authentication.
was assuming you needed to know at time of initial auth.
However, I don't know whether that is tru for SAML.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
