On Aug 2, 2021, at 4:32 PM, Tim Cappalli <tim.cappa...@microsoft.com> wrote: > > >> However, if the outer realm is "@example.com", then the inner realm cannot > >> be "usern...@example.org". > > I disagree with this requirement. Many organizations have multiple domains > used for fully qualified usernames but for routing simplicity, may want to > use the org's primary domain for routing. > > It should be perfectly valid to configure an outer realm of @microsoft.com > but have inner identities with other domains (ex: t...@github.com, > t...@linkedin.com, etc)
Does this happen a lot? I must admit I've rarely seen anything like this. On top of that, enterprise routing is much rarer than in educational systems like Eduroam. While enterprise "roaming providers" exist, they're typically not doing 802.1X. So there's only one identity for them. OpenRoaming is new, and enterprise, and 802.1X. But it's not widely used, and the identities are typically automatically provisioned. i.e. to your phone, via the telephone provider. And there's no "legacy" issues, so the outer identity is for routing, and the inner identity is controlled and provisioned by the provider. So I can't think of many good reasons to have different outer/inner realms. The use-cases are small, and rare. I'm OK with not forbidding it. But I think there needs to be strong language saying "this is a terrible idea, and you really need to think hard before doing anything like this". Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu