Shibboleth Developers

["Scott Cantor" <>]

> My confusion or feeling of inconsistency comes from the fact that the 
> Origin (according to the documentation) checks if the value retrieved 
> from DataConnector has "@whatever"; then, if that is present, it is used 
> as the scope domain.

Different issue. That's nothing more than arbitrary code used during
attribute construction based on what people might or might need when they
pull information from databases. How that works is an entirely arbitrary and
unrelated issue to this.

And note that it only does that if you tell it to. If the attribute is
unscoped, it does nothing of the sort.

> This logic defines the meaning that any Attributes used in Shibboleth 
> have this special syntax, where "@whatever", if present, means a scope 
> domain, which may be different to the default domain defined in the ARP 
> (smartScope).

Definitely not. The VALUE (in the holy writ sense) to Shibboleth is the XML
syntax. Nothing else can be considered formally part of the equation, I
think, and there are no hidden meanings attached to anything.

> (and that is why I assumed that the Target uses the same approach).
> (and that is why our software also makes the same assumption - if 
> "@whatever" is present, its a scope domain)

You can never make such a decision without knowledge of the attributes.
Nothing we ever imposed could ever apply without regard for the specific
definition of the attribute.

You might consider (from what I know of your project) consuming the SAML
directly and not relying on the strings. Those are, essentially, a lossy
format. In this particular case, without knowing the attribute definition,
you can't know whether something is scoped only by looking at the string.
Simply can't be done (e.g. email address), and it's not a limitation I
created.

You can, however, tell by looking at the XML. It all depends on what you're
trying to do, but I think this is all separate from how I did or didn't
choose to map a directory string of 
value@domain
 to XML and back. The fact
that it's a two-part value is part of the attribute's definition, not based
on the arbitrary presence of an @ sign.

-- Scott