Shibboleth Developers

["Scott Cantor" <>]

> Also, SAML 2.0 metadata doesn't seem to handle the case of a
> standalone attribute requester very well. 

It doesn't handle it at all, it was left out of scope so as not to have to
address the other query cases, not that I was thrilled by that. Until the TC
includes more members who think there *are* any other use cases other than
SSO, I think this will continue to be the case.

>  As far as I can tell, we will have to include a dummy
> <md:AssertionConsumerService> element as a placeholder.

I wouldn't. I would define a role extension until the TC defines something.
An SPSSODescriptor is for SSO, period.

But, all you really need is the KeyDescriptors. You *could* put attributes
there, but you *shouldn't* use wildcard queries. Just ask for what you want.
The metadata shouldn't be used to avoid this, only to pre-establish policy
about access to them. I don't see a problem copying most of the SP
descriptor for that purpose, but it can't be used during queries.

> Finally, it would be highly desirable if multiple
> <md:AttributeConsumingService> elements could be defined.  However,
> AFAIK the index attribute of this metadata element is ignored by a
> SAML 1.x metadata implementation.  Is this correct?

It's ignored in SAML 2.0 for this use case. Attribute queries by reference
are not allowed except during SSO.

-- Scott