> >> Josh's idea to get around the RADIUSS MTU issue is to include a
> >> compressed authentication assertion in the RADIUS response and
> >> for the SP to make a SAML attribute query. The authentication
> >> assertion would effectively serve as a token for the
> SP to prove
> >> it was entitled to attributes surrounding the subject.
>
> Scott> That's a bit of a complex approach and requires
> implementing
> Scott> WS-Security-based SOAP queries, which is not something I'd
> Scott> take on without a really good reason.
>
> How does authentication for attribute queries actually happen
> then today?
I think we might have our wires crossed slightly. My suggestion was that
the SP uses the Subject from the assertion within the AttributeQuery, as
normally happens with attribute query, not the entire assertion. I agree
with Scott that using an assertion as a token would be rather complex.
However, I think I initially misunderstood Sam's proposal. I assumed
that the attribute query and response would be "signed" using the key
sent to the SP over RADIUS.
josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
|