>>>>> "Alejandro" == Alejandro Perez Mendez <[email protected]> writes:
item #2 - If the SAML responder is going to
>> response to a SAML request, is there a requirement that the
>> responder MUST response no later than the Access-Accept or
>> Access-Reject message? Also what other currently defined packets
>> is the element permitted in - for example can I include it in an
>> Access-Challenge packet?
Alejandro> That's an interesting question. In a previous discussion
Alejandro> we were thinking on moving all the authorization data
Alejandro> retrieval exchanges _after_ the Access-Accept exchange. I
Alejandro> think Josh already shown interest on changing to that
Alejandro> kind of flow, though I guess until radius-fragmentation
Alejandro> draft moves a little forward this need to be hold on.
I do not support moving to that flow all the time.
I think if the message fits in the access-accept it should be sent
there.
Also true for access-reject.
>>
>> 6. The last sentence in section 5.2 makes no sense to me. I
>> believe the sentence should finish "to a Relying Part without
>> step 2 occurring." Doing it without having the EAP protocol run
>> in section 3 would be bad news. Ditto the last paragraph in
>> section 5.3 - I think it should just say that "The Request in
>> section 5.3.2 is omitted from the process."
>>
>> 7. In section 5.3.4 - I would like to see a statement that in
>> this profile, if the<samlp:AuthnRequest> is marked as fail then
>> the EAP should also return fail. That is there should not be
>> difference in the returned value for the SAML request and the EAP
>> dialog.
Alejandro> IMO this is not required. EAP is meant to provide
Alejandro> authentication, while SAML is intended to provide
Alejandro> authorization. A principal may be succesfuly
Alejandro> authenticated, but fail to obtain authorization
Alejandro> information. One process should not interfere in the
Alejandro> other. Think that a RP may not issue the
Alejandro> AuthnReq. Besides, if the RADIUS server and the IdP are
Alejandro> not collocated, I do not think it is a good idea to trick
Alejandro> the EAP stack in the RADIUS server to force an EAP
Alejandro> failure if the IdP replies with an SAML error.
Typically a RADIUS access-accept implies both authorization and
authentication.
I don't particularly care if the saml and EAP results are consistent,
but I don't think it's appropriate to include a SAML failure in an
access accept.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
