> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Josh Howlett > Sent: Monday, November 28, 2011 7:54 AM > To: Alejandro Perez Mendez; Alan DeKok > Cc: [email protected] > Subject: Re: [abfab] 4K limit > > > > >> - NAS sends new Access-Request (somehow) tied to the original session > >> - this Access-Request contains > >> Service-Type = Authorize Only > >> State from original Access-Accept > >> - server replies with Access-Challenge / Access-Accept > >> - packets contain SAML data > >> - if the reply is an Access-Challenge, the NAS sends > >> another Access-Request > > > >Yeah, we had in mind something very similar. > > Likewise. I was going to propose something very similar to this for the Abfab > Assertion Request Profile, so that the RP is able to obtain an assertion from > an IdP at some point after authentication. > > I'd like to use the same mechanism for both post hoc assertion request and > delivery of jumbo assertions (where delivery of a jumbo authentication > assertion is essentially the case where the assertion is not necessarily > solicited and happens immediately after authentication. > > So I think we should try to decouple the RADIUS/EAP authentication > roundtrips from the RADIUS/SAML assertion roundtrips, modulo some > mechanism to tie these together. > > There's another wrinkle that hasn't been discussed, which is that the SAML > Request may also be larger than 4K. So we really need to deal with jumbo > messages in both directions, which makes this even more interesting > although I think that Alejandro's proposal works in this case.
I think that in general one can deal with this by forcing the RP to make multiple requests rather than a single request in this case. However I also have an item which was discussed some months ago but has not reared its head again. That is that there may be a proxy in the middle that wants to do some re-writing of the SAML messages in both directions. This would be for the purpose of changes attribute names so that a common mapping does not need to be understood by either end but just by the proxy in the middle. This means that we need to be thinking of the proxy suddenly become the server/client of the fragmented message or becoming the service that is going to provide/ask for the OOB query method. Jim > > Josh. > > > > JANET(UK) is a trading name of The JNT Association, a company limited by > guarantee which is registered in England under No. 2881024 and whose > Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, > Oxfordshire. OX11 0SG > > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
