Shibboleth Developers

["Scott Cantor" <>]

> How often should attributes refreshed?  This is almost certainly  
> something that needs to be controlled through a mixture of tunable  
> settings at the SP and relevant information from the attribute  
> assertion.

This was my biggest mistake in 1.x. We should not do this, IMHO. The SSO
profiles do not accommodate this in any standard way, and it creates failure
modes with NameID and attribute lifetimes that applications just do not want
to have to deal with. The complexity of configuring it has also hurt the IdP
and the SP so far.

I was planning on ripping all of that out, particularly with the de-emphasis
on queries (to the point that I wasn't even planning to support queries
after a 2.0 SSO). I was planning to leave the old code in for legacy
compatibility, but that's all, and I was going to eliminate the refresh
code.

Now, a separate (but incredibly complex) feature would be an API to perform
queries or even other data lookup methods after the fact, but I think this
should be separated from the core session response. And I don't think we
have time to add it now anyway.

-- Scott