[OpenAFS] Re: authenticating using AD servers hidden behind firewall

Russ Allbery rra@stanford.edu
Thu, 07 Jun 2012 18:16:11 -0700

John Tang Boyland <boyland@pabst.cs.uwm.edu> writes:

> Our institution uses "Shibboleth" for off campus authentication,
> since it keeps the AD (and thus kerberos) servers hidden behind
> a firewall.  Does anyone know how to have OpenAFS use Shibboleth
> for authentication?

The short version is that you can't.

The long version is that Shibboleth per se is specifically and exclusively
for web authentication and doesn't support authenticating any other
protocol.  It does use an underlying security protocol called SAML that
could be used to authenticate other protocols.  However, you then still
have three problems:

1. So far, the work to use SAML for other protocols is at a very
   preliminary phase, although in progress.  For something like AFS, you
   would want to have a GSS-API profile for SAML, which I believe some
   people may be working on, but which is far from ready to use.

2. The current releases of AFS only support Kerberos through AFS's
   internal rxkad security protocol.  You have to use direct Kerberos;
   nothing else is supported.  Work is underway on a new AFS security
   protocol called rxgk, which would allow use of any GSS-API protocol for
   AFS authentication.  However, this work is not yet complete or ready to

3. It's unlikely any of your existing Shibboleth infrastructure can do
   "pure" SAML for use with another protocol right now.  You'd have to
   write local glue to do that.  (It's possible someone else has already
   done this.)

Note that you'd have the same issue with any other file system protocol
that I'm aware of.  I don't think either NFS or CIFS could support SAML
authentication at this point either.  (Although I'm not sure what the
state of CIFS is in combination with Microsoft's federation support.)

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>