So, This is great news. There appears to be a bit of a disconnect
though in functionality.
The authenticatino in Moonshot will be via EAP. That means you won't
get a username or password (at least under the interesting cases,
although I guess we *could* backend PAP into an IDP if we really
wanted.)
I thought what you and Josh had talked about was performing an attribute
query rather than an authentication request so that the RADIUS server
rather than the SAML IDP handles authentication. That means you'd need
to have something to authenticate to for the attribute query that the
IDP will always trust. This does constrain the IDP configuration
somewhat.
The username may have a realm attached or it may not. Generally though
you will be configured to use a single IDP.
--Sam
|