I note that this document focuses on the AttributeStatement exclusively. While I don't see any need to have AuthzDecisionStatements to be exposed, is there going to be a desire to expose the contents of AuthenStatements - Authentication statements?
Doing so would allow for an IdP to advertise to the server exactly what EAP method was used in authenticating the client. This may be of interest to the server if it wishes to know what level of authentication was obtained in order to determine if access should be allowed. Specifically, some servers may have policy that says that the client needs to validate to the IdP using two-factor authentication or better (Level 3 for NIST SP 800-63) or access will be denied as being insufficiently authenticated. Jim _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
