El 15/03/12 13:52, Sam Hartman escribió:
"Alejandro" == Alejandro Perez Mendez<[email protected]> writes:item #2 - If the SAML responder is going to >> response to a SAML request, is there a requirement that the >> responder MUST response no later than the Access-Accept or >> Access-Reject message? Also what other currently defined packets >> is the element permitted in - for example can I include it in an >> Access-Challenge packet? Alejandro> That's an interesting question. In a previous discussion Alejandro> we were thinking on moving all the authorization data Alejandro> retrieval exchanges _after_ the Access-Accept exchange. I Alejandro> think Josh already shown interest on changing to that Alejandro> kind of flow, though I guess until radius-fragmentation Alejandro> draft moves a little forward this need to be hold on. I do not support moving to that flow all the time. I think if the message fits in the access-accept it should be sent there. Also true for access-reject. >> >> 6. The last sentence in section 5.2 makes no sense to me. I >> believe the sentence should finish "to a Relying Part without >> step 2 occurring." Doing it without having the EAP protocol run >> in section 3 would be bad news. Ditto the last paragraph in >> section 5.3 - I think it should just say that "The Request in >> section 5.3.2 is omitted from the process." >> >> 7. In section 5.3.4 - I would like to see a statement that in >> this profile, if the<samlp:AuthnRequest> is marked as fail then >> the EAP should also return fail. That is there should not be >> difference in the returned value for the SAML request and the EAP >> dialog. Alejandro> IMO this is not required. EAP is meant to provide Alejandro> authentication, while SAML is intended to provide Alejandro> authorization. A principal may be succesfuly Alejandro> authenticated, but fail to obtain authorization Alejandro> information. One process should not interfere in the Alejandro> other. Think that a RP may not issue the Alejandro> AuthnReq. Besides, if the RADIUS server and the IdP are Alejandro> not collocated, I do not think it is a good idea to trick Alejandro> the EAP stack in the RADIUS server to force an EAP Alejandro> failure if the IdP replies with an SAML error. Typically a RADIUS access-accept implies both authorization and authentication. I don't particularly care if the saml and EAP results are consistent, but I don't think it's appropriate to include a SAML failure in an access accept.
I didn't mean that a RADIUS Access-Accept should be sent if a SAML failure occurs. I was just talking about EAP, not RADIUS.
I mean, we are using RADIUS to transport both EAP and SAML. If the conjunction of a SAML failure and a EAP success should have the result of denial of access (because of the failure in the authorization), then an Access-Reject should be sent. Now, I have to admint that I don't really know if it is possible to send an EAP-Success packet within an Access-Reject RADIUS message. But tricking the EAP stack to force the EAP method to fail even when the method was actually successful does not sound very well either. What do you think?
Regards, Alejandro
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
