Alejandro Perez Mendez wrote: >> How do you tie the packets together? > > As you say below, the State attribute would do the work. Additionally, > the "more SAML data" could contain a reference, and be included in the > following Access-Request message. Though I think the State attribute > would be enough.
It would be preferable, but not enough. The packet needs to be routed through a proxy chain, so it needs to contain a User-Name attribute. >> - user authenticates >> - final Access-Accept contains a State attribute >> - final Access-Accept contains an attribute "more SAML data" > -final Access-Accept contains a Termination-Action attribute with the > value of RADIUS-Request I'm not sure I'd do that. Termination-Action is for *terminating* the service. In your use-case, service would continue, but more SAML authorization attributes would be needed. Instead, the first Access-Accept could contain "Service-Type = Additional-Authorization". This would be a new value indicating that additional authorization is required for the user. The NAS would then send requests for more data, as discussed earlier. The final Access-Accept would contain an updated Service-Type, for the users real service. > Another alternative would be the following: after the "more SAML data" > attribute is sent, instead of performing several > Access-Request/Access-Challenge roundtrips, perform several > Access-Request/Access-Accept(more-SAML-data) roundtrips. I don't know if > this procedure would go against something in the standards. I think using Access-Challenge would be better. Alan DeKok. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
