Shibboleth Developers

["Scott Cantor" <>]

> The world of extensions is on rise (Google gears, firefox addons :) ) so
> poor user installs one more. Jokes aside Scott, I do see your concern but
> for whatever reason world is fascinated by keeping some profile data with
> them on local machine or device [e.g. being cardspace, and I think Advance
> client from Liberty (I do not have much knowledge about Advance client so
> pardon me if misused it here)] and may be get a false sense of security
that
> it is not on some database.

I think some people are interested in it, and those people have no idea what
it takes to get people to install specific pieces of software, or support
them doing so. I consistently get laughter or silence in the higher ed
community when I ask questions about using client plugins.

Again, nothing to do with your situation necessarily, just my perspective.

> - CardSpace looks bit heavy ( on client install) and again with its
selector
> I am not felxible enough for retrival of attributes.

I think once you go to a client footprint at all, you're already there.
Worrying about how large the client is doesn't make that much sense to me.

> 1/ As part of AuthnRequest you can't specify the attributes required.
> Attribute Query/Response is the thing to use for this. [Please correct me
if
> I misunderstood the spec]

That's not really true. You can put them in the SP's metadata, which is
similar to how Cardspace works. The fact that people don't use that feature
is the biggest reason I'm skeptical of an extension to list them in an
AuthnRequest. The number of cases where that would be required and using
metadata wouldn't work is fairly small, I think.
 
> 2/ In order to transmit attributes in Response (to authnrequest) you could
> put them in attribute-resolver of Shibboleth but in that case they have to
> be transmitted every time user authenticates (Not good definitely).

That depends on many factors, the policy at the IdP, optionally user consent
via the SWITCH ArpViewer tool, using metadata to let the SP ask for the ones
it needs, etc. A lot of pieces to use there.

-- Scott