OpenSAML user discussion

["Scott Cantor" <>]

>       This is not at all clear to me from saml-core sects. 2.7.3 or
3.3.2.3
> (I'm looking at the SAML 2.0 spec dated 15 March 2005), but I'm
> certainly interested to know what best practices are in terms of
> defining SAML attributes. Is there another part of the spec that I'm
> missing? Or is this a best practice defined outside the core spec?

I thought the text about xsi:type was stronger there, just me projecting
probably. What it says should be read more as a strong warning against using
xsi:type with a non-standard type, because in practice you don't know who
validates and who doesn't, and nobody ever has the right set of schemas on
hand if they do. It's the standard "be conservative in what you send" maxim.

Granted your use case is different, but the underlying issue remains that
SAML attributes should be self-defining based on their name (which should be
unique) and should not rely on other type indicators if you want to be as
interoperable as possible. OpenSAML, at least my version, reflects that
opinion.

-- Scott