Shibboleth Developers

["Scott Cantor" <>]

> 1) Checks for <saml:AttributeDesignator> elements in the query.  If
> one or more such elements exist, the corresponding attributes are
> supplied (subject to policy and availability).

True, noting that there's a bug in the older versions (1.1 for sure) that
causes this to crash and return an error.

> 2) If no <saml:AttributeDesignator> elements appear in the query, the
> IdP consults the requester's metadata.  If one or more
> <md:RequestedAttribute> elements exist in metadata, the corresponding
> attributes are supplied (subject to policy and availability).

Not true. The ARP is used to determine what to return. I haven't even
wrapped that part of the metadata yet. We were more interested in using that
stuff for the GUI at this point than operationalizing it. I'm also reluctant
to overload the SP descriptor for queries, but if I can get that extension
accepted, we could use that without cheating so much.

> 3) If no <md:RequestedAttribute> elements appear in metadata, the IdP
> supplies all attributes (subject to policy and availability).

2 and 3 are the same case, currently.

-- Scott