The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Alberto Martínez <alberto_martinez AT deusto.es>]

Sorry, I read too fast and spoke too early.

I see that the configuration items for checking the inner User-Name are already in place.

Have a nice day.

El mar., 23 oct. 2018 a las 16:46, Alberto Martínez (<alberto_martinez AT deusto.es>) escribió:

Hi,

Just for the sake of making an argument, I'd like to point out that
something@staff is not a valid user identifier in the sense of the
IETF's "Network Access Identifier (NAI)" RFC. Nor is something with two
@@ signs in it or an @. .

If this kind of identifier is used /without/ enabling outer identity
with a correct NAI, it leads to actual breakage when roaming. I'm
assuming that this IdP has thus turned on outer identities, making this
internal use "okay".

So, I think in general we have a point in testing for these conditions.
But since reality shows us that these identifiers are in actual
deployment, and our sense for standards-correctness is getting in the
way of real deployments, I'm okay with removing the check.

I appreciate that you are favoring reality instead of correctness, but if that check gets removed every other institution will receive more support calls from people who don't input the expected NAI domain on the installer.

Can this be a configuration item checked on by default, instead? "inner User-Name domain must match outer (anonymous) identifier's domain"

Regards,

Alberto

--

Alberto Martínez Setién
Middleware
Comunicación y Sistemas
Servicio Informático
Universidad de Deusto
Avda. de las Universidades, 24
48007 - Bilbao (SPAIN)
Phone: +34 94 413 90 00 Ext. 2684
Fax: +34 94 413 91 01