> * Value a hash of Gss-Acceptor-Service-Name, NAI, salt. Just one small thing... Would this value formula be *prescribed*, i.e. in IETF terms a 'MUST', or would it be a *recommendation*, i.e. a 'SHOULD' or a 'MAY'? I'd venture to say that this should be up to the COIs to decide what format they'd like. If for example you have a group who use SAML now, but would like to preserve some of their identifiers in the AAA RADIUS attribute instead of shipping a SAML-AAA-Attribute, who are we to stop them? > Recommendation would typically be to send moonshot-service-targetedid by default, and > moonshot-realm-targetedid if the IdP trusts the realm enough to do so or the COI policy > requires it, ditto moonshot-tr-coi-targetedid. User-Name only where absolutely required > and policy in place that details its protection. Yes, I would definitely agree with this. It makes sense. Regards Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238