So, What I think we need to say in the SAML is: In an assertion:
1) I expect the foo.bar.example.com IDP realm to interact with this message. 2) Possibly/probably I expect the baz.example.net RP realm to receive this message eventually. I'm happy to let the RP evaluate the trust of the AAA fabric between the IDP and RP and to evaluate whether the fabric in use provides sufficient trust for the IDP. I think it's important make sure the message was intended to be handed to the given IDP and probably/possibly/I'm not 100% sure to make sure the message was destined for the given RP. It's clear that we need to make sure the destination of the message at the SAML layer, but possibly not at the AAA layer. However, we definitely care about the injection point into the AAA layer because that may be the only AAA name towards the IDP that the RP knows and can validate. --Sam _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
