I suggested having the EAP because it is what we are using for authentication, however I think that using one of the existing authentication methods is probably sufficient. The IdP would need to know how to map from the EAP method used to a SAML Authentication Context profile, but that is out of scope for our group.
Jim > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Josh Howlett > Sent: Friday, August 19, 2011 2:45 AM > To: [email protected] > Subject: Re: [abfab] EAP naming attribute document > > Jim, > > >I note that this document focuses on the AttributeStatement exclusively. > >While I don't see any need to have AuthzDecisionStatements to be > >exposed, is there going to be a desire to expose the contents of > >AuthenStatements - Authentication statements? > > I agree. Section 5.2 should be generalised to deal with SAML statements in > general. > > > >Doing so would allow for an IdP to advertise to the server exactly what > >EAP method was used in authenticating the client. > > I don't think there's a SAML Authentication Context defined for EAP, let > alone the multitude of methods. However, like you say, it might actually be > useful to define one. Perhaps a composite value consisting of the EAP type > plus one of the existing SAML Authentication Contexts to signal the type of > credential? > > Josh. > > > > JANET(UK) is a trading name of The JNT Association, a company limited by > guarantee which is registered in England under No. 2881024 and whose > Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, > Oxfordshire. OX11 0SG > > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
