Shibboleth Developers

["Tom Scavo" <>]

On 7/29/06, Scott Cantor 
<>
 wrote:
> > - The SAML Assertion Query/Request Profile [SAML2Prof]?
>
> Yeah, but I don't know about in the SP yet. I hope not to.

No problem, it's the IdP side I'm interested in anyway.  Specifically,
the attribute query.

> > - The SAML Attribute Sharing Profile for X.509
> > Authentication-based Systems?
>
> I doubt it, not until it's clearer what it actually means. I don't really
> understand the purpose of that profile from a technical point of view (the
> X.509 part doesn't belong in SAML at all).

What X.509 part?  Are you referring to the use of X509SubjectName identifiers?

> If all it's asking for is a bunch of specific knobs to be turned, then I
> think all the knobs will be there, so maybe in that sense it's "supported".

I doubt it's that simple.  For one thing, the IdP must be able to map
an X509SubjectName identifier to a principal name.  That's what
GridShib does, so think of GridShib as an implementation of the
Attribute Sharing Profile.

In that sense, I suppose I've answered my own question.  So the real
question is: Will Shib 2.0 support the SAML V2.0 Assertion
Query/Request Profile at the IdP.  We need that, I think, since the
Attribute Sharing Profile is an extension of the Query/Request
Profile.

> > How will a Shib 2.x IdP call out its support of one or more of these
> > profiles without breaking backward compatibility with the Shib 1.3 SP?
>
> Nothing old is changing (broken or not) and nothing new conflicts with
> anything old.

Well, I could be missing something, but there seems to be a real
problem here.  So the Shib 2.0 IdP will have AA endpoints that support
Shib 1.x attribute exchange, SAML V1.1 Attribute Query Profile
(currently being written), SAML V2.0 Assertion Query/Request Profile,
and SAML V2.0 Attribute Sharing Profile (standards track).  How does
an SP find an endpoint that supports a specific profile?

Tom