Shibboleth Developers

[Jim Fox <>]

> Anyone have others?

We have found a few other 'improvements' to be useful. They
mostly provide efficiency.

1) Specify which attributes we want back from ldap.

   If an entitlement, for example, requires membership in
   a group we don't want to get back the entire membership of
   that group, which might number many thousands.  Just
   the 'cn' is enough.  So we added an option to the search
   control, used like this:

       returningAttribute="cn"

2) Make activation of the connector dynamic.

   Using the same entitlement attribute as an example.
   We usually know ahead of time which SPs will utilize
   the group membership check.  It makes no sense to check
   ldap for all the other SPs, to whom we wouldn't release the
   entitlement anyway.  So we only activate the connector
   for groups if the SP is one that might actually get
   the entitlement.  The connector element looks like this:

     <ActivationRequirement relyingParty="napster.com"/>

3) We allow empty results of a query to be acceptable - not an error.

Jim