Shibboleth Developers

["Scott Cantor" <>]

> Thanks.  I can understand ProviderName, but as you mentioned earlier,
> ProtocolBinding and AssertionConsumerServiceURL replace the shire
> parameter, so I'm not sure why you would want to omit them.  Are you
> making some assumptions about metadata?

Those attributes still assume metadata in most cases, so using the Index is
shorter and simply going to be much more common.

> I assume you're referring to a persistent identifier such as
> eduPersonTargetedID.

No, I'm referring to the SAML 2.0 "persistent" format (at which point,
hopefully our attribute name is subsumed).

> As I read the SAML 2.0 spec, AllowCreate is
> required for ANY identifier, not just persistent identifiers.  If
> that's true (there is nothing in the spec to suggest otherwise), then
> a value of true is required here (since the default value is false).

Yes, but:

a) nobody seems to even use most of the old SAML formats
b) creation control pretty much assumes the Liberty use case
c) people using emails or other long term IDs are probably not ceding
control over ID creation to the SP

-- Scott