Shibboleth Developers

[Tom Scavo <>]

On Tue, 4 Jan 2005 19:25:36 -0500, Scott Cantor 
<>
 wrote:
> > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
> >       AssertionConsumerServiceURL="https://sp.org/SAML2/SSO/Artifact";
> >       ProviderName="My Service Provider">
> 
> These three attributes are probably in the category of "rarely used", so
> maybe don't make the best examples.

Thanks.  I can understand ProviderName, but as you mentioned earlier,
ProtocolBinding and AssertionConsumerServiceURL replace the shire
parameter, so I'm not sure why you would want to omit them.  Are you
making some assumptions about metadata?

> >       <samlp:NameIDPolicy
> >         AllowCreate="true"
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
> >     </samlp:AuthnRequest>
> 
> Similarly, I suspect using AllowCreate with anything but persistent is
> probably also rare. It's not nonsensical, it's just kind of a competing set
> of deployment considerations.

I assume you're referring to a persistent identifier such as
eduPersonTargetedID.  As I read the SAML 2.0 spec, AllowCreate is
required for ANY identifier, not just persistent identifiers.  If
that's true (there is nothing in the spec to suggest otherwise), then
a value of true is required here (since the default value is false).

Tom