Shibboleth Developers

["Scott Cantor" <>]

> Even for pull?  I assume query is still an option...

Queries do not have authn statements under any ordinary circumstance because
there's no way in general to know when/how authentication might have
happened.

I would say that we haven't 100% decided whether to have any 2.0 queries in
the 2.0 SP. The only use case would be for allowing the POST binding but not
requiring encryption (namely knowledge of the SP's key) but since queries
require knowledge of the SP's key, I don't really see the point.

Unless we run into technical problems supporting large assertions in the
POST, I would have to say that 2.0 SPs will never issue 2.0 queries. They
will continue to support 1.1 queries for deployers uncomfortable with
cleartext data in the browser.

The IdP will support 2.0 queries because it won't be hard to maintain the
feature even though Shibboleth will not use it initially.

> Would it help to strip away the response wrapper (and signature) and
> expose only the assertion?  Then SPs can choose whether or not they
> want signed assertions.

No. The size limit is small, signatures are one way to hit it but not the
only one. Just add a few attributes and you'll blow right by it. The
Response has never been the problem.

We have to totally rework the concept, or perhaps restrict the feature
initially to the Java SP where it's not a problem. Most use cases that need
to get at the token will initially be Java applications anyway.

-- Scott