...
Not all EAP types and non-EAP authentication methods need or support all types of credentials in the list below.
While the Schema allows to put all kinds of credential information inside every AuthenticationMethod, even where the information is not applicable, tags elements which are not applicable for an authentication EAP or non-EAP type SHOULD NOT be included in the corresponding instance of AuthenticationMethod or InnerAuthenticationMethod when producing the XML file, and MUST be ignored by the entity consuming the XML file if present in the XML file.
...
If the optional attribute "lang" for the EAPIdentityProvider tag element is specified, then all user-displayable strings inside this tag element are to be considered suitable for use in user interfaces in that language. Individual lang tags attributes for the sub-tags child elements inside EAPIdentityProvider then SHOULD NOT be used.
If the optional attribute "lang" for the EAPIdentityProvider tag element is not set, individual sub-tags child elements which contain user-displayable strings SHOULD be marked with the language they are written/available in.
...
The EAP metadatafile can contain extra information about the InnerIdentity, mostly used to streamline domain the realm specific InnerIdentity form elementselement:
InnerIdentityPrefixcontains the required domain realm prefix if any. E.g. DOMAIN/InnerIdentitySuffixcontains the required domain realm suffix, if any. E.g. @DOMAINInnerIdentityHintis a boolean, telling the app to populate the InnerIdentity field using the InnerIdentityPrefix or Suffix and placing the cursur a the correct place (after the / if prefix is used or before the @ in the case of suffix).
...
Based on these authentication methods, there are various "flows" we can have possible to continue connecting. We will discuss these in the next sections.
1.2. Needs login credentials
The first possibility is that the user needs to provide login credentials. This is the case where the authentication method IS is NOT TLS (meaning method code IS is NOT 13) and where the client has not gotten received previous credentials before.
The user then needs to input his her username (including the @realm@REALM) and password in the UI. If there is a possibility that this can be automatically configured within the OS UI then this MUST be preferred.
...
If the authentication method is TLS then a client certificate (PKCS12) MUST be provided. If the client cannot read this certificate due to encryption, a passphrase MUST be used to decrypt the containerciphertext.