Shibboleth Developers

["Scott Cantor" <>]

> But if <saml:AttributeDesignator> elements are indeed listed, they
> almost certainly came from metadata, right?

I don't know, they certainly don't now since there is none. So whether they
do or not, it doesn't really matter to the profile.

It's more likely right now the metadata is going to be derived from whatever
the SP is currently putting in it's queries, although we don't really have
anybody doing queries with designators because of old bugs in the AA, the
fact that the ARP has to be in place anyway, etc. So in that sense, the
metadata will be a copy of the ARP.

The privacy model and the lack of incremental queries after session creation
just really makes all of it irrelevant. Once you have to establish the list
up front anyway, it doesn't matter what's in your metadata or your queries.

Seems like it's your push model where this all matters, and then it should
be a matter between the client and the SP, and I argue the AA should be kept
out of it. Synchronizing the push/pull set becomes an issue, but it doesn't
mean you have to standardize everything on the ARP concept (let alone our
current syntax), that can just be the output of whatever process you use.
Which might be based on metadata, of course.

Anyway, my long-winded point is that standardizing anything to do with
metadata is pretty difficult. My take is that it doesn't give you
interoperability, certainly, but it doesn't make the situation any worse
than if the metadata didn't exist, and can sometimes make it better.

Mostly I think it's a tool for implementations to build value around, as we
are doing with certificate agnosticity (I view avoiding PKI as a desired
feature), driving the ARP GUI (we hope), that kind of thing. Not things any
standard mandates.

-- Scott