Alejandro Perez Mendez wrote: > RFC says, in regard with the State attribute: ... > So I understood that if State attribute is sent within an > Access-Request, then Termination-Action is required.
I'm not sure that's required. I know I've *rarely* seen a Termination-Action when there's a State in Access-Accept. So I wouldn't worry about it too much. >> Instead, the first Access-Accept could contain "Service-Type = >> Additional-Authorization". This would be a new value indicating that >> additional authorization is required for the user. > > But then it is required to define a new Service-Type value. Service-Type > is not mandatory, would it be better to just not including it in the > first Access-Accept? The "more SAML data" should be enough to indicate that. The issue for me is a *generic* way of handling this. A "more SAML data" thing is specific to SAML. Alan DeKok. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
