Hi all, we changed little bit the way we want to do the delegations. Instead of using kerberos tickets (and KDC ) we will use X509 certificates. I now have testing CA on the radius server end. After successful authentication, I make a key pair and corresponding certificate for the client. I'd like to send those to the service end (as it might act as a client afterwards). The easiest way seems to be to use SAML assertions (as those are already used in liveDVD I use and it works). I can't see the proper elements to use on the first sight, maybe someone can help me. <saml:Attribute Name=some oid?> <saml:AttributeValue> cert. there </saml:AttributeValue></saml:Attribute> but I don't know if it can be done this way. Or I can see <ds:X509Certificate> in the xmldsig profile, this may be the better way. Thx Marcel Poul On 09/29/2013 03:13 PM, Alan Buxey wrote: > hi, > > an interesting use case but I fear that the client end would have to > have additional code and functions to perform this request - the RADIUS > end would ALSO have to have changes to pass the required serviceprincipal > stuff down to the client within the EAP section. > > alan >