thanks Sam. Lets Rafa and myself look into this
David
On 23/05/2014 13:58, Sam Hartman wrote:
>>>>>> "Rafa" == Rafa Marin Lopez <[log in to unmask]> writes:
>
> Rafa> Hi David:
> >> On 23/05/2014 10:18, Rhys Smith wrote:
> >>> On 23 May 2014, at 09:50, Gabriel López <[log in to unmask]> wrote:
> >>>
> >>>> Thinking a bit more about it, and the use case you described...
> >>>> Would it be possible RP and idP belonging to two different
> >>>> CoIs? If so, how the idP knows the right CoI to use? The RP
> >>>> should specify the desired CoI beforehand or the idP could
> >>>> issue the same attribute with two different values (one for
> >>>> each CoI value), but then the RP should check both of them in
> >>>> order to find the right value....
> >>>
> >>> As it stands in the world of Trust Router, RPs belong to a
> >>> single community of interest (IdPs are obviously members of as
> >>> many as they wish).
> >>
> >> I believe that Sam said this was a current implementation limit
> >> and not a conceptual one. I believe this restriction should be
> >> removed as a single RP may host different resources that require
> >> different LOAs (ie. trust levels) in order to be
> >> accessed. Constraining it to be in a single CoI seems to be
> >> unnecessarily restrictive
>
> Rafa> Completely agree with you. I would personally not understand
> Rafa> the restriction of having an RP belonging to a single CoI.
>
> Rafa> P.D: However if the RP is allowed to belong to different CoIs
> Rafa> then when a user requests the access I was wondering how the
> Rafa> RP selects the appropriate CoI.
>
>
> So there are several things going on here:
>
> 1) Some very serious restrictions in our current Freeradius trust router
> integration regarding COI specification. That's a code limitation and
> we're working on removing that. We plan to get to a level where you can
> specify a COI per RADIUS client.
>
> 2) no current way to specify COI between the RP and RP proxy. If
> someone comes up with a compelling use case this isn't a big deal to
> fix. But see below.
>
> 3) The only information you get before you need to decide what COI to
> use is the realm of the IDP.
> We'd actually talked about having a set of COIs and you'd select the
> first COI in which the target realm exists; we haven't implemented this
> but it would be easy.
>
> Perhaps you and David could work on a proposal at the ABFAB layer to
> negotiate something like COI and to provide extensions to GSS-API and
> SSPI to make it available either at the initiator or acceptor.
> That's probably the first step towards an implementation of the
> flexibility you're looking for.
>
> --Sam
>
|