Shibboleth Developers

["Scott Cantor" <>]

> oh dear! I got this from:
> http://www.oasis-open.org/specs/index.php#wssprofilesv1.0
> Is the SAML Token Profile deprecated now?

No, but that's a SAML 1.1 profile, and none of this stuff is really possible
with SAML 1.1. The SAML 2.0 profile is in the 1.1 STP (corresponding with
WSS 1.1).

> I see what you're saying but it would have to release attributes for
> multiple SPs in the same Response.

Yes, it would.

> hmmm... I suppose the VLE would know which SPs it is capable of talking to
> so could ask for a huge chunk of attributes from the start. Surely the IdP
> would refuse though? The ARP would block release of VFS attributes to the
> VLE.

The IdP would encrypt them for each SP.

> I'm also not comfortable with sensitive attributes going through the VLE,
> especially when it will never use them itself.

I don't think you follow how XML encryption works.

> What's needed at the web service is, in old talk, is a
> SecurityTokenReference and SAML Subject to allow the web service to go to
> the AA and ask for extra attributes independently of the VLE.

You get that anyway. And the identifier has to be encrypted regardless, if
you're going to pass the token along.

> The SAML Token profile was quite nice - pity it's gone, or is it?

See above.

-- Scott