Hi, What I think is missing in the documents is the SAML profile for abfab. The architecture document says that SAML requests may or not may appear as RADIUS attributes in the request, but it is quite ambiguos. The home AAA server has to know if a SAML attribute, authentication or authorization statement should be returned, and it has to be specified in the RADIUS request. I mean, there should be in some place, a description of the SAML queries to be used, statement to be returned and, for example, if they has to be signed or encrypted. It could also imply a problem if the assertion is too big to be transported over the radius message (even if fragmentation occurs).
Regards, Gabi. El 19/08/11 09:31, Jim Schaad escribió: > I note that this document focuses on the AttributeStatement exclusively. > While I don't see any need to have AuthzDecisionStatements to be exposed, is > there going to be a desire to expose the contents of AuthenStatements - > Authentication statements? > > Doing so would allow for an IdP to advertise to the server exactly what EAP > method was used in authenticating the client. This may be of interest to > the server if it wishes to know what level of authentication was obtained in > order to determine if access should be allowed. Specifically, some servers > may have policy that says that the client needs to validate to the IdP using > two-factor authentication or better (Level 3 for NIST SP 800-63) or access > will be denied as being insufficiently authenticated. > > Jim > > > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab -- ---------------------------------------------------------------- Gabriel Lpez Milln Departamento de Ingeniera de la Informacin y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: [email protected] _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
