Shibboleth Developers

[Walter Hoehn <>]

On Jul 29, 2006, at 5:45 PM, Jim Fox wrote:

> We have found a few other 'improvements' to be useful. They
> mostly provide efficiency.
>
> 1) Specify which attributes we want back from ldap.
>
>    If an entitlement, for example, requires membership in
>    a group we don't want to get back the entire membership of
>    that group, which might number many thousands.  Just
>    the 'cn' is enough.  So we added an option to the search
>    control, used like this:
>
>        returningAttribute="cn"

Sounds reasonable.  Can you file a bugzilla entry?

> 2) Make activation of the connector dynamic.
>
>    Using the same entitlement attribute as an example.
>    We usually know ahead of time which SPs will utilize
>    the group membership check.  It makes no sense to check
>    ldap for all the other SPs, to whom we wouldn't release the
>    entitlement anyway.  So we only activate the connector
>    for groups if the SP is one that might actually get
>    the entitlement.  The connector element looks like this:
>
>      <ActivationRequirement relyingParty="napster.com"/>

Sorry, maybe I don't fully understand, but there's already an  
optimization in the IdP to do something similar to this automatically  
based on ARPs.

> 3) We allow empty results of a query to be acceptable - not an error.

Sounds reasonable.  Bugzilla?

-Walter