Klaas Wierenga wrote: > Apologies for reopening a discussion that seems to have concluded (my only > excuse is that I was hovering most of the last 2 weeks 20 meters below the > surface of the Red Sea). > But I still need some more convincing that we MUST carry the SAML data over > AAA. It seems to me that using the AAA fabric just to introduce the parties > to each other and do additional attribute exchange out-of-AAA-band has a > number of advantages, most importantly, no issue with the 4k limit. I find > the argument that intermediate nodes may need to rewrite attributes not very > convincing, after all there are many hub-and-spoke federations in SAML-space > that do just that routinely, no need for AAA intermediaries.
I agree that intermediate nodes do not need to rewrite the attributes. There may still be benefits from using AAA. The simplest is using one technology for everything. The alternative is to put the SAML attributes in HTTP (everything over HTTP), and give a URL to the end host. This brings additional issues of copying the data from AAA server to HTTP server, authenticating the client which gets the SAML data, securing the data transfer, etc. Alan DeKok. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
