Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Mon, 18 Apr 2005, Scott Cantor wrote:

> Attached is a first draft of a pair of SAML attribute profiles for mapping
> eduPerson and related bits to SAML 1.x and SAML 2.0.

Let me comment on whether this doc is a "Shibboleth profile" or an 
"eduPerson profile" or some other kind of profile.  I would say that it is 
most accurately characterized as recommendations for representation of 
SAML Attributes for use by the Internet2 Middleware community.  That 
community is those people who read Internet2 Middleware Initiative (I2MI) 
documents and create implementations and deployments based on them, and 
who use I2MI-produced software or produce software intended to be 
compatible with it; and of course those who contribute to creating I2MI 
documents and software.

The eduPerson specification itself does not just define the eduPerson LDAP 
attribute types and object classes, it also profiles lots of other common 
attribute types, and it does this for the use, again, of the I2MI 
community.  You could easily argue that the eP definitions and the 
profiles of everything else should be separated, and I'd agree with you, 
but that doesn't change the intent of the specification(s).

So it's OK for this document to say how to represent eduCourse, or CN, 
etc, because the I2MI community wants to represent those things as SAML 
Attributes, and in SAML 1.x there is no standard convention on how to do 
so.  And of course it was "us" who wrote the X500/LDAP profile for SAML2, 
because of our interest in having a global convention for this purpose, 
not just one specific to the I2MI community.  That's why sections 3.2 and 
3.3 of this doc can be so short.

So the SAML 1.x part of this spec, warts and all, is indeed intended for 
use by the I2MI community in all situations where that community might 
want to use the SAML Attributes it defines in SAML 1.x.  Obviously it 
doesn't cover every kind of attribute type from every source.  And I2MI 
community members are also members of other communities that might produce 
different SAML Attribute profiles or choose to use SAML Attributes in ways 
that aren't covered by this profile.  But if the other sites you need to 
work with are also part of the I2MI community, then you can use this spec, 
and interoperate.  And if you're part of the community and you want to use 
these attributes in SAML 1.x and this profile doesn't work for you, then 
you're encouraged to explain why, and if the reasons are good maybe we can 
have alternate profiles for different purposes or something.

It may be that we should pursue having a SAML-TC-level convention for 
representing the "persistent" nameid format as a SAML Attribute, rather 
than having to label it with an I2MI-defined OID URN.  But in any case it 
would have the proposed value.  And as noted we are in a world where we 
will have to handle potentially many names for the same info-item.

 - RL "Bob"