Shibboleth Developers

[Chad la Joie <>]

We didn't discuss the layout of the message but we are moving towards a 
primarily attribute push model.  My guess, for SAML 2 at least, would be 
one assertion, two statements.  We have no plans to drop the ability to 
export the full assertion to the protected resource, but we also 
acknowledge that some web servers will have issues with that as they 
restrict the amount of data that may go into a header.

Tom Scavo wrote:
> What will a typical authn response look like in Shib 2.0?  Will the
> payload still be two separate assertions or are you considering one
> assertion with two statements?
>
> Assuming the authentication response contains two separate assertions,
> will the Shib 2.0 SP continue to expose the complete response?
>
> I missed the discussion of the SP at the F2F so I apologize in advance
> if the following topic was covered.  Instead of exposing the response
> at the SP, why not expose the attribute assertion only (with the
> response wrapper stripped away)?  In that case, you end up with the
> same thing irrespective of push or pull.
>
> Also, why not nest the authentication assertion in the <Advice>
> element of the attribute assertion?  This exposes the authentication
> context in its entirety and leaves it up to the consuming application
> to make use of it or not, as the case may be.
>
> Tom

--
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124