So, What I think we need to say in the SAML is:

In an assertion:

1) I expect the foo.bar.example.com IDP realm to interact with this
message.

2) Possibly/probably I expect the baz.example.net RP realm to receive
this message eventually.

I'm happy to let the RP evaluate the trust of the AAA fabric between the
IDP and RP and to evaluate whether the fabric in use provides sufficient
trust for the IDP.  I think it's important make sure the message was
intended to be handed to the given IDP and probably/possibly/I'm not
100% sure to make sure the message was destined for the given RP.  It's
clear that we need to make sure the destination of the message at the
SAML layer, but possibly not at the AAA layer.  However, we definitely
care about the injection point into the AAA layer because that may be
the only AAA name towards the IDP that the RP knows and can validate.

--Sam

_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab

Reply via email to