Shibboleth Authentication with 2-way trusted domains

Cantor, Scott cantor.2 at
Wed Nov 30 13:46:05 UTC 2022

Cross-domain Kerberos is tricky in general, and it's somewhat easy to open up security holes doing it, but AFAIK Java supports it. We support KDC verification with follow on ticket requests so that is pretty essential if you want to do it safely.

Myself, I have never done it. I have used Kerberos more than most and still do, but nobody at OSU has ever allowed use of trusts so I've never had to explore it.

None of it is anything to do with the IdP, it's purely a matter of Kerberos configuration.

-- Scott

More information about the users mailing list