Shibboleth Developers

["Scott Cantor" <>]

> Sorry, I should have told you what I'm trying to do.  I'm implementing
> a name mapping plugin for emailAddress identifiers.  Rather than
> require a Scope attribute in the <NameMapping> element, the thought is
> to default to shibmd:Scope taken from IdP metadata.

Meaning to figure out how to generate the email address domain? Well, again,
I don't see a huge difference between these options.

I think people have this all backwards. The goal shouldn't be to use the
metadata to configure yourself, it should be to *generate* the metadata from
the configuration. Duplicate entry is bad, sure, but the schema is not set
up to really be a good self-configuration format in my opinion.

I tried it several times over the course of the last few years and failed
miserably every time I started down the path. I eventually just stopped
trying and accepted that the use cases didn't match.

> Gee, how many scopes are there in the world?  Is there a scope defined
> somewhere in the IdP that a name mapping plugin can leverage?

The only definition of scopes is in the smartScope attributes that basically
serve the same purpose as what you're doing...they just default the scope in
if the scope isn't already there. And even there, it's repeated. ;-)

By multiple, I just meant that metadata allows an IdP to be given the
authority to server any number of scope domains. So reading it doesn't tell
you which one to use for a given user, in such a case.

-- Scott