Business Requirements : 1. Users from domain A - need to access a service in domain B 2. Not all the users from domain A should be able to access the service in domain B [only a given group of users] 3. Users are in a Windows domain and should be not asked again to enter any credentials to access the service in domain B What we need to achieve is.. User logs in to his Windows machine and seamlessly accesses the service in domain B - with no additional authentication steps. Pattern - as per the diagram above.. 1 & 2 : User talks to Kerberos KDC [TGS] - authenticates and gets a Kerberos TGT. This communication with KDC happens underneath when user logs in to his Windows machine. 3 & 4 : User program using the TGT, gets a Kerberos ticket to access the STS. 5 & 6 : Using the Kerberos ticket issued to the user to access the STS - user program authenticates to STS and obtains a SAML token via WS-Trust. STS also carries out an authorization check to see whether the user is eligible to access the service in domain B. 7 & 8 : User program uses the obtained SAML token to authenticate to the service in domain B. The service will validate that the token is issued from a trusted STS by verifying the signature. |