Shibboleth Developers

["Scott Cantor" <>]

> EntityDescriptor/entityId -- the unique name of the entity. So far, 
> we've been using a syntax of urn:mace:[federation name]:[org name]

That might need to be re-examined. It certainly doesn't apply to SPs. I
think we need to come up with the right set of questions to ask to generate
the SP name. Probably by prompting for "a valid DNS name that represents
your service (NOT a hostname)" and then just doing
https://<DNSname/shibboleth

> (Question -- is there a need to let people create 
> AuthnAuthorityDescriptor elements? )

No.

> 2) Within the AttributeAuthorityDescriptor element, people 
> would enter:
> 
> -- domain (same value as for IDSSO)
> -- AttributeService, url value for Location attribute

And KeyDescriptor. My example omits it because I do key name matching based
on the entityId. There's no trust file here.

> 3) Within the SPSSODescriptor element, people would enter:
> 
> -- KeyDescriptor (paste  in a self-signed cert?)
> -- AssertionConsumerService, a url value for the Location attribute

This needs to be multi-valued.

> the program would provide default values for:
> 
> -- SPSSODescriptor/protocolSupportEnumeration attribute
> -- NameIDFormat
> -- AssertionConsumerService/ Binding attribute

I don't think we can assume POST or artifact in the future, they should
choose (POST/artifact/both).

-- Scott