We're discussing section 8 of draft-ietf-abfab-aaa-saml. > this issue would be declaring SAML-Message and/or the SAML-Assertion > attributes as authentication attributes. We think this would make sense > as as they might affect how the subsequent authentication process will > be performed.
I don't support that approach mostly because it assumes there will be subsiquent authentication. If there is such I'd expect eap-message or similar to be present in the radius access-request My recommendation is that we indicate in section 8 that this draft only covers the case where the request in in the context of an existing session and includes state. In future, the profile can be expanded. I'd probably leave state as a SHOULD with a note about 2865 and indicate that if you're using this profile without state you need a spec describing how to do that and that spec needs to tell you what authentication attributes to include. --Sam _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
