The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Alberto Martínez <alberto_martinez AT deusto.es>]

Hi,

Just for the sake of making an argument, I'd like to point out that
something@staff is not a valid user identifier in the sense of the
IETF's "Network Access Identifier (NAI)" RFC. Nor is something with two
@@ signs in it or an @. .

If this kind of identifier is used /without/ enabling outer identity
with a correct NAI, it leads to actual breakage when roaming. I'm
assuming that this IdP has thus turned on outer identities, making this
internal use "okay".

So, I think in general we have a point in testing for these conditions.
But since reality shows us that these identifiers are in actual
deployment, and our sense for standards-correctness is getting in the
way of real deployments, I'm okay with removing the check.

I appreciate that you are favoring reality instead of correctness, but if that check gets removed every other institution will receive more support calls from people who don't input the expected NAI domain on the installer.

Can this be a configuration item checked on by default, instead? "inner User-Name domain must match outer (anonymous) identifier's domain"

Regards,

Alberto