Shibboleth Developers

[Tom Scavo <>]

On 9/9/05, Scott Cantor 
<>
 wrote:
> 
> I can't correct the glossary, so I guess the official TC position is not
> mine, but having designed the AuthnRequest protocol, my position is quite
> firm. You support AuthnRequests or you're not an IdP.

Sure, I'll buy that.  Doesn't really matter how we define "IdP" or
"GridShib IdP" or any other kind of "IdP", but I still have problems
with line 659:

  A Shibboleth identity provider MUST include the 
  <md:IDPSSODescriptor> element in its metadata.

In what metadata?  Any given "IdP" may produce and distribute multiple
metadata "snapshots" of itself.  Must each metadata file have an
<md:IDPSSODescriptor> element?  (I think not.)  What if no metadata
file produced by this "IdP" has an <md:IDPSSODescriptor> element? 
(Farfetched, but why should that disqualify an "IdP" from being or
becoming a Shibboleth IdP?)  What if some metadata file has an
<md:IDPSSODescriptor> element but no Shibboleth SP consumes the
metadata?  (How would you know that anyway?)

Having an <md:IDPSSODescriptor> element in metadata (whatever that
means) is neither necessary nor sufficient for an "IdP" to be a
Shibboleth IdP (as defined by you).  I think you're putting
unreasonable restrictions on the kind of metadata a Shibboleth IdP can
produce.  So yeah, I think numerous statements in section 3.4 are
overly restrictive, or at least vague enough to cause confusion (at
least for me).

Tom