Shibboleth Developers

["RL 'Bob' Morgan" <>]

> Question: is transmitting binary record (such as an attribute 
> certificate) supported by SAML in shibboleth? If yes, how to change the 
> configuration to send the binary record from AA to Shar?

I'll defer to Walter and Scott on what the code actually does, but I'm 
pretty sure that all the existing attribute-handling only supports UTF-8 
string values, not binary.  There is no existing profile for handling 
X.509 certificates as attributes in Shibboleth (or in SAML 1.1, which 
defines no specific attribute usage at all).  In SAML 2.0 there is a 
profile defined for handling arbitrary X.500/LDAP attributes, which says 
that for those whose LDAP encoding is not a UTF-8 string, the binary value 
is base64-encoded for transmission (as the content of the AttributeValue 
element).  So I suggest that this is the approach to follow, and I think 
it would be up to you to code support for base64-ing this value in the AA, 
and decoding it at the Shib SP.

I'll note also that the SAML 2.0 X.500/LDAP profile specifies that 
attributes are named using urn:oid: -based names.  So in cases such as 
this where we're adding the handling of new attributes in Shib, we will 
have to consider whether to continue following our existing convention of 
giving them MACE-defined names (urn:mace:dir:attribute-def:...) or to use 
this new approach.  In this case I'd say we should use the urn:oid: name.

 - RL "Bob"