Shibboleth Developers

[Ian Young <>]

Scott Cantor wrote:

> I think the context is lost here...

Quite possibly I am going off at a tangent because of some related stuff 
I'm thinking about just now.

> I said I didn't see why I would use the
> attribute version in SAML 2.0 when I can just carry the data in the subject
> and save the space.

With your comment about unifying the APIs for subject format and 
attributes, and seeing the partial unification you've already done in 
the SP, I think I'm closer to understanding what you have in mind.

In those terms, what I was getting at was that the current attribute 
release API is in terms of *filtering* (include/exclude on each 
attribute independently) whereas the subject format issue is a question 
of *choosing*: you can't not have a subject format at all, or pick two. 
 If the user says don't release the persistent opaque identifier, it is 
*replaced* by the transient one.

> The whole goal is for ARPs and the mappings to merge in some way.

For what it's worth, that does sound like the right approach to me, I 
just can't think what the details will look like yet.

I suppose the trick is to be able to achieve things like:

IF the user wants to release "a persistent opaque identifier" THEN
   IF the SP's metadata says it understands that format THEN
      use that as a subject format and omit ePTI
   ELSE
      use the shibboleth handle format for the subject and ship
      an OID-style ePTI to hold that information.

I suppose it is possible to do most of that explicitly in the ARP, but I 
can't see how you would model it all purely by the current attribute 
filtering model.

        -- Ian