Hi.
There are two semi-related concepts in our achitecture:
* rp_realm at the TID layer. That is, a temporary identity client
claims a particular rp_realm which determines community membership and
affects constraints.
* acceptor realm: a RADIUS attribute that is constrained by realm
constraints.
It seems clear that the IDP RADIUS server wants access to the acceptor
realm.
Does it care about the RP realm?
If it were easy, I'd just make it available in case someone wants it.
However, currently we don't carry the RP realm in the request. It's
relatively easy to make available the set of possible RP realms that
have been authorized by the trust router, although doing that would add
some processing complexity to what will end up being some already
complex unlang.
I can't think of a real reason you'd want it though and without such a
reason would prefer to just focus on the acceptor realm at the RADIUS
layer.
An alternative if we find we really need RP realm is to define an
attribute for it and to carry it too.
In most cases I'd expect acceptor realm and RP realm to be the same. If
they are not, constraints will make sure that it's something permitted
going on.
--Sam
|