>>>>> "Rafa" == Rafa Marin Lopez <[log in to unmask]> writes:

    Rafa> Hi David:
    >> On 23/05/2014 10:18, Rhys Smith wrote:
    >>> On 23 May 2014, at 09:50, Gabriel López <[log in to unmask]> wrote:
    >>> 
    >>>> Thinking a bit more about it, and the use case you described...
    >>>> Would it be possible RP and idP belonging to two different
    >>>> CoIs?  If so, how the idP knows the right CoI to use? The RP
    >>>> should specify the desired CoI beforehand or the idP could
    >>>> issue the same attribute with two different values (one for
    >>>> each CoI value), but then the RP should check both of them in
    >>>> order to find the right value....
    >>> 
    >>> As it stands in the world of Trust Router, RPs belong to a
    >>> single community of interest (IdPs are obviously members of as
    >>> many as they wish).
    >> 
    >> I believe that Sam said this was a current implementation limit
    >> and not a conceptual one. I believe this restriction should be
    >> removed as a single RP may host different resources that require
    >> different LOAs (ie. trust levels) in order to be
    >> accessed. Constraining it to be in a single CoI seems to be
    >> unnecessarily restrictive

    Rafa> Completely agree with you. I would personally not understand
    Rafa> the restriction of having an RP belonging to a single CoI.

    Rafa> P.D: However if the RP is allowed to belong to different CoIs
    Rafa> then when a user requests the access I was wondering how the
    Rafa> RP selects the appropriate CoI.


So there are several things going on here:

1) Some very serious restrictions in our current Freeradius trust router
integration regarding COI specification.  That's a code limitation and
we're working on removing that.  We plan to get to a level where you can
specify a COI per RADIUS client.

2) no current way to specify COI between the RP and RP proxy.  If
someone comes up with a compelling use case this isn't a big deal to
fix.  But see below.

3) The only information you get before you need to decide what COI to
use is  the realm of the IDP.
We'd actually talked about having a set of COIs and you'd select the
first COI in which the target realm exists; we haven't implemented this
but it would be easy.

Perhaps you and  David could work on a proposal at the ABFAB layer to
negotiate something like COI and to  provide extensions to GSS-API and
SSPI to make it available either at the initiator or acceptor.
That's probably the first step towards an implementation of the
flexibility you're looking for.

--Sam