SSO EAP-TLS PIN Caching Behavior
This topic provides a step-by-step approach for resolving matters of session resumption and re-authentication of a roaming user in an SSO EAP-TLS environment.
Step-By-Step Approach
The following list represents a step-by-step approach for resolving matters of session resumption and re-authentication of a roaming user in an SSO EAP-TLS environment.
After the first successful authentication in an SSO environment with EAP-TLS, the supplicant retains all user credential related information by default.
Note
Although subject to the particular supplicant implementation, it's advisable for the supplicant to retain the entire EAP_CONFIG_INPUT_FIELD ARRAY structure that the supplicant last used in the EapHostPeerQueryUserBlobFromCredentialInputFields call to EAPHost.
As the user first roams and the re-authentication begins, the supplicant calls EapHostPeerQueryUserBlobFromCredentialInputFields again with the same EAP_CONFIG_INPUT_FIELD ARRAY structure; the supplicant must also pass in the same user BLOB retained after the first successful authentication.
EAPHost then passes the information in the user BLOB to the EAP method.
The EAP method in turn updates the user BLOB with credential fields - the PIN for example - provided in pEapConfigInputFieldArray, and keeps the remaining values - the server certificate for example - as it was in the original user BLOB.
After completing these steps, the supplicant can resume authentication in a normal way by calling the EapHostPeerBeginSession run-time function with this user BLOB.
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for