Shibboleth Developers

["Scott Cantor" <>]

> I thought (f) was merely an expression of what Nate was pointing out in
his
> simulation-of-idp-initiated "trick"!!

No, not at all. It's how you fool the IdP into sending a response and hope
that the SP in question doesn't check InResponseTo. It will not result in
that attribute being omitted. The Shibboleth SP doesn't check it, but others
might, so in general, it's probably not a great idea. In hindsight I'm sorry
I didn't point that out.

> It was little more than an afterthought, designed to codify his trick.
Acted
> like a test to ensure that the definitions could deal with the outlier
case,
> too.

See above. Codifying his trick does not make the sender of that request a
third party in the formal sense of getting around the InResponseTo problem.
The IdP simply assumes that the requester in ALL cases is the SP. I guess
that's the best way to answer all this. Right now, that's just how it
behaves.

> Can Shib SP handle multiple assertions in a response? (or perhaps, better,
> is an array of n>1 assertions a part of the security concept of Shib?)

The SP handles any number of assertions, provided they follow the profile,
which in this case means they all must share a common subject.
 
You may find that not many SPs will handle more than one. They certainly did
not in the past.
 
-- Scott