In the Plasma work effort we have spent much of the last month thinking
about and doing some discussions on the question of delegated access.   In
the process we have located the following SAML document
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-delegation-cs-01.
pdf which discusses how to create a SAML statement which has the delegation
information built in.  This gives us what we need in order to do the
evaluation on the RP about what delegation has occurred.

The problem is that there is currently no way to discuss the questions of
delegation in the EAP protocols that I know of.  This has not been a problem
when we were looking at just the question of accessing a network; however
the additional resources that we are now looking at because of ABFAB are now
starting to make this an interesting question to looking at.

The questions that I would have for the EMU group are:

1.  Is there any interest in looking at the issues of how one requests a
delegated access to occur?

2.  What set of restrictions are going to be necessary for doing delegation.
At present, since the only cases that I care about are going to be the ABFAB
cases all I would actually need to the ability to say in one of the tunneled
messages a simple statement to the effect that "I want delegate access to
<name>" which would either be granted or denied.

3.  If we do delegated access, what things other than the SAML statement
returned in the ABFAB context need to be changed?  

4.  Do we need to be able to do both delegation, where the delegation
process is understood by the RP, and impersonation where the RP may not be
able to tell that the authenticated entity is not really the same as the
named entity returned to the RP from the IdP.

5.  Are there other issues that need to be discussed?

Jim


_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Reply via email to