>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes: >> You might need to unpack that for me. I agree that the value of >> CUI is not scoped explicitly, but the IDP scope can be obtained >> from the RADIUS context. That can be enforced by the trust router >> network. Stefan> In a trust router network context one could draw that Stefan> conclusion, yes, especially considering the SP and IDP make Stefan> a point-to-point connection. Well, no. I get an opaque identifier from the IDP at the RP-side proxy. How do I decide whether I should permit that value to go towards the RP? The RP is likely to have this value on ACLs and the like. I need to enforce that no two IDPs can have the same value. I know which IDP it's coming from, but we have not proposed a mechanism to make this safe to use.