Hi Sam,
On 03/12/2014 02:18 PM, Sam Hartman wrote:
> We're discussing section 8 of draft-ietf-abfab-aaa-saml.
>
>> this issue would be declaring SAML-Message and/or the SAML-Assertion
>> attributes as authentication attributes. We think this would make sense
>> as as they might affect how the subsequent authentication process will
>> be performed.
>
>
> I don't support that approach mostly because it assumes there will be
> subsiquent authentication. If there is such I'd expect eap-message or
> similar to be present in the radius access-request
>
> My recommendation is that we indicate in section 8 that this draft only
> covers the case where the request in in the context of an existing
> session and includes state.
What's about an initial SAMLAuthRequest from the RP to the idP (before
the EAP exchange) pointing out, for example, some kind of LoA
requirement? I though it was one of the motivations for the use of SAML
here.
In this case there is not a "state" attribute.
Regards, Gabi.
> In future, the profile can be expanded. I'd probably leave state as a
> SHOULD with a note about 2865 and indicate that if you're using this
> profile without state you need a spec describing how to do that and that
> spec needs to tell you what authentication attributes to include.
>
> --Sam
>
> _______________________________________________
> abfab mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/abfab
>
--
Gabriel López Millán, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888504 Fax: +34868884151 e-mail: [email protected]
0x8D119153.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
