Josh, You said something at the last meeting that took me a couple of days to process and figure out that I might have some type of problem. I really would like to be able to send SAML request messages after the EAP has completed. However there are situations where it might not be feasible and I think this needs to be discussed.
If the acceptor is not told the identity of the client, then it would be unable to send a SAML request at a later point in time. If the request is sent along with the EAP conversation, then the EAP server knows the identity of the client. However after the EAP conversation has finished, I would not expect the EAP server to send a state token to allow for a continuation of the conversation. In order to deal with this case, it may be that the EAP server will need to provide an anonymous identity to the acceptor that it can later correlate back to the actual identity of the client. Such a provider could be an encrypted token. Jim _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
