Shibboleth Authentication with 2-way trusted domains
Cantor, Scott
cantor.2 at osu.edu
Wed Nov 30 13:46:05 UTC 2022
Cross-domain Kerberos is tricky in general, and it's somewhat easy to open up security holes doing it, but AFAIK Java supports it. We support KDC verification with follow on ticket requests so that is pretty essential if you want to do it safely.
Myself, I have never done it. I have used Kerberos more than most and still do, but nobody at OSU has ever allowed use of trusts so I've never had to explore it.
None of it is anything to do with the IdP, it's purely a matter of Kerberos configuration.
-- Scott
More information about the users
mailing list