Shibboleth Developers

[Scott Cantor <>]

> IMHO I think the default configuration should _just work_.
> If the default configuration does not _just work_ then it 
> should be modified and fixed until it _just works_.

It can't just work unless you give it enough information to work. It can't 
know what your site's domain is, and we don't have time
to write a wizard to generate the config files. Eventually that might be a 
good idea, though I don't personally think it's the
greatest use of our resources.

> this means that a default-configuration origin should work 
> sufficiently to talk to a default-configuration target.  This 
> means that it should definitely be sending a valid 
> affiliation (which is a scoped attribute, no?)

What is the definition of valid? It can send a valid attribute, but the 
target will rightly reject it as coming from a site not
authorized to send it unless the target's metadata matches the origin's 
domain name.

By default the origin comes up as shibdev.edu once the right entries are 
uncommented, and the target by default knows about that
site.

Of course, for some definition, sending no attributes at all "works". The 
target won't care unless you require attributes that make
it care.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--