Hi,
In FR 3.0.x prior to my query (and Alan D's fix), if you called 'cui' in default's post-auth (please note, *not* cui-inner, which still functions as advertised), User-Name was stripped regardless of whether a CUI was generated in the outer Access-Accept or not. IMO that was wrong. If anything, if it didn't generate a CUI, it should leave the User-Name well alone (which it does now).
yes, that is wrong - and I dont know where that came from as we have the older stuff here and it didnt do that
The fix Alan D has put in place means that *only* if a CUI exists in the outer Access-Accept, will User-Name be stripped.
..and that is wrong too IMHO - CUI isnt anonymous - CUI is an identifier that cannot be influenced by the end user so can be trusted by a visited site to be something that will mark the same person no matter what client (or change to CSI they do ) they use or change to their outerID that they do alan