Shibboleth Developers

[Scott Cantor <>]

> We're probably about to begin registering some service providers 
> within IQ. This will require the IQ administration to assign 
> providerId values to these targets.... do people have thoughts on a 
> default  approach for developing these values?

I don't think they need to be assigned, just approved.

> the two obvious options are:
> 
> 1) url values. The shibboleth.xml file in the current distribution 
> uses this approach. eg https://example.org/shibboleth/target
> 
> 2) urn's.

URNs will either be specific to something they shouldn't be (like inqueue)
or require more work to manage. They work well for IdPs because an IdP tends
to be more federation-centric so far, and also can easily use whatever value
they like when responding to different SPs. An SP can't do that today, it
has to pick a single value to use for each of its applications. URNs are
also harder to resolve into something.

> Since every providerId that a service provider wants to publish to 
> the world will have to be in the Federation metadata, it might be 
> worth exploring whether/how IQ Admin might be able to delegate the 
> authority for assigning providerIds within specific name spaces.......
> its likely, tho, that we don't have to resolve this in 
> the short term.....

Don't. Just self-select using a simple best-practices guideline and the
admins can just sanity check it. For IQ it doesn't matter anyway, for
InCommon they would need to check the domain name with dig and just make
sure it's owned by who is claiming it.

A simple best practice is https://<domain>/shibboleth

It's simple, it can be resolved easily later into metadata, it will be
usable by just about any federation they enter into, etc.

-- Scott