Shibboleth Developers

["Scott Cantor" <>]

> The qualifier attribute is optional.

It's also deprecated for those formats.

> In order to make the template
> and regex attributes optional, I need a domain (example.org), so we're
> back to an old question: where can I get the authoritative,
> deployment-wide domain (scope) attribute?

Scope (which is not a SAML concept) is an attribute-specific concept that is
not always a DNS domain, and has not been applied to any name identifiers.
Defining a format for EPPN would be the first case in which it would come
up, and I suspect the implementation ought to suppose that it could come up
and deal with it. But it wouldn't come up for any of the SAML 1.1 formats,
because those are defined by SAML and do not have any such internal
structure.

Secondly, there is no such thing as a single domain in general. If there was
a single domain, then there would be no need for a domain at all because it
would be implicit based on the IdP. What you're talking about is a default.

The plugin API would probably have to expose that piece of data so that it
could be supplied at runtime from the back end, and then you could define a
default value to use. So it looks about like the smartScope attribute. It
might be reasonable to extract that into a single setting to avoid the
duplication. Or one might even be able to use an XML entity to define it
once and just reuse it in the various XML files and the code wouldn't change
at all.

But nobody should forget that these are two (or more) different logical uses
for the same piece of data, a DNS subdomain.

-- Scott