On 12/11/12 20:32, Sam Hartman wrote:
> >> The Moonshot implementation of ABFAB has always supported RADSEC.
> >> >> I know that the UM team had an early deployment of AABFAB; I >>
> don't know if that supported RADSEC or not. Gabriel> Actually not, it
> runs over Radius. Although it is just a Gabriel> matter of
> implementation. OK, so you would not be concerned about a radsec
> requirement on behalf of the MU implementation?
The original UM implementation of GSS-EAP is deprecated, we are
currently working with the GSS-EAP moonshot implementation.
My concern is about to define RadSec mandatory for those institutions
willing to deploy abfab.
Let's suppose eduroam, institution A is requesting authentication to
institution B, where A is abfab-aware, and B is a tipical eduroam
member. Let's suppose:
a) Authorization (SAML) is not required --> A and B are able to
authenticate the user directly, without any modification in B side.
End-to-end authentication is not possible
b) Authorization (SAML) is required and B is running a SAML-idP (i.e.
Shibboleth) --> minimum modification at B side (radius server requesting
SAML attributes to idP). End-to-end authentication is possible by means
of SAML signature.
c) Authorization (SAML) is required and B is not SAML-aware --> B has to
deploy current abfab solution. Easy to deploy. End-to-end authentication
is possible by means of SAML signature.
Why does abfab have to force institution B to deploy RadSec too?.
As sent before, we strongly agree to make use of radsec, when possible.
In any case, if WG members agree on that maybe I am
missing/misunderstanding something
regards, Gabi.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
