Shibboleth Developers

[Tom Scavo <>]

On 4/19/05, Keith Hazelton 
<>
 wrote:
> 
> 1) How attributes are handled in Shibboleth today (and "historically").
> That is the topic of section 2 of the document.
> 2) How we propose to handle attributes in SAML 2 environments, including
> Shibboleth 2.x That is covered in section 3.

Right, so aren't you mixing a Shibboleth profile in section 2 with a
SAML profile in section 3?  Moreover, the Shibboleth profile is
largely deprecated so perhaps it should be separated out.

> Looking at section 3 first, what is being proposed is scoped to
>   1) Attributes originating in X.520 and in RFC-defined extensions such
> as inetOrgPerson
>   2) Attributes defined by the MACE directory working group (which I
> chair).

If you consider section 3 by itself, two issues stand out.  First,
eduPersonTargetedID (as an attribute) is pre-empted by
nameid-format:persistent (as a name identifier) so the need for
special attribute syntax is not clear.  Second, the eduCourseOffering
example cries out for a complex content model that pre-packages the
URI as a set of attributes applicable to the course in question.

So the end result is kind of curious...the eduCourseOffering attribute
uses a simple content model while the eduPersonTargetedID employs a
complex content model.  The two syntaxes seem to go in totally
different directions.

The main question (in my mind) is the need for eduPersonTargetedID (as
an attribute) in SAML2.  I'm not seeing that, I guess.

Tom