> >> - NAS sends new Access-Request (somehow) tied to the original session >> - this Access-Request contains >> Service-Type = Authorize Only >> State from original Access-Accept >> - server replies with Access-Challenge / Access-Accept >> - packets contain SAML data >> - if the reply is an Access-Challenge, the NAS sends >> another Access-Request > >Yeah, we had in mind something very similar.
Likewise. I was going to propose something very similar to this for the Abfab Assertion Request Profile, so that the RP is able to obtain an assertion from an IdP at some point after authentication. I'd like to use the same mechanism for both post hoc assertion request and delivery of jumbo assertions (where delivery of a jumbo authentication assertion is essentially the case where the assertion is not necessarily solicited and happens immediately after authentication. So I think we should try to decouple the RADIUS/EAP authentication roundtrips from the RADIUS/SAML assertion roundtrips, modulo some mechanism to tie these together. There's another wrinkle that hasn't been discussed, which is that the SAML Request may also be larger than 4K. So we really need to deal with jumbo messages in both directions, which makes this even more interesting although I think that Alejandro's proposal works in this case. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
