Shibboleth Developers

["Scott Cantor" <>]

> So if I understand you correctly, metadata is not used to determine
> required attributes but may be used in the future (1.3?) depending on
> the outcome of the proposed metadata extension.  Correct?

I wouldn't say it depends on that, but we reserve the option to start
looking at metadata in some fashion at some point, but probably more for
attribute push.

> Okay, so that implies that SP queries and client queries (ala
> LionShare and GridShib) are all processed in the same way (ignoring
> ARP processing for the moment), that is, either the requested
> attributes are returned or all attributes are returned.  Is that
> right?

Well, I would say that we're somewhat constrained by the definition of an
empty query, which (in both 1.1 and 2.0) cannot really be interpreted in the
context of metadata. The definition is really "send me anything I'm allowed
to have". So the ARP is really the starting point, that defines what "all"
means.

Queries, particularly in a stand-alone use case, should absolutely send what
they want to get back. Better to be clear.

The downside is no attribute value filtering until 2.0, but there's nothing
to be done about that. The metadata will hopefully provision the ARPs at
some point.

-- Scott