Shibboleth Developers

["Scott Cantor" <>]

> Note that the language isn't as clear as it probably should be, but when
> it says "the issuing IdP" it's intended to refer back to the IdP 
> acting in the profile, and there's only one. I will bring that up as a 
> possible errata.

Of course, as I should have recalled, this already was an errata.

http://www.oasis-open.org/committees/download.php/18811

See PE26, which cleans up a lot of the Response processing rules for SSO and
makes it very clear what the TC's intent was.

I wasn't ever very happy that we allowed multiple assertions because IMHO
nothing was gained. With only one issuer, the only rational thing to do when
including attributes now is just embed them in one, and we could have saved
everybody headaches by restricting the profile to one assertion. But I lost,
so all I can say is the errata at least tries to clarify things a bit.

-- Scott