Skip to Content.
Sympa Menu

shibboleth-dev - Re: Attribute Queries in Shib 2

Subject: Shibboleth Developers

List archive

Re: Attribute Queries in Shib 2


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: Attribute Queries in Shib 2
  • Date: Mon, 09 Jul 2007 09:56:22 -0400
  • Openpgp: id=A260F52E; url=http://pgpkeys.pca.dfn.de/pks/lookup?op=get&search=0x3F5E9E87A260F52E
  • Organization: Georgetown University
We agree. The default identifier formats will be the Shibboleth format
for SAML 1 and the Transient format for SAML 2. Both have the same
transient and opaque properties.

Sure would be nice though if we could use convenient assumptions. ;)

Ian Young wrote:
>> If the name identifier is
>> opaque (transient or persistent) and the attributes are non-identity
>> attributes (affiliations and/or entitlements), there shouldn't be a
>> problem, right?
>
> True, but irrelevant.
>
> If you're talking about a default configuration that will be applied for
> all Shibboleth 2.0 installations, I don't think you can make assumptions
> about the kind of data being sent between the IdP and SP.
>
> Most deployers won't ever change the default configuration, so (in my
> opinion) it has to be secure under any assumptions about the attributes
> used, not just convenient assumptions.

--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124

Archive powered by MHonArc 2.6.16.

Top of Page