Shibboleth Developers

["Scott Cantor" <>]

> Well, metadata is largely unsupported outside of higher ed and
> relatively inflexible anyway.  The latter, in particular, makes
> metadata unsuitable for specifying attribute requirements.

Certainly agree with the former, but that's immaterial if somebody is
already planning to rely on Shibboleth. The latter I simply see no evidence
for. It's flexible enough for many situations, and my point is that nobody
is really using it for *anything*, not that it handles every possible case.
 
> Moreover,
> when you consider other use cases beyond Web Browser SSO (e.g., the
> case in which the presenter is the SAML requester), metadata doesn't
> even exist.

Of course it can exist. Cardspace is exactly this model, but it hardly
precludes metadata.
 
> So all things considered, it's a good idea to support
> attributes in AuthnRequest.  This was simply an oversight in the SAML
> spec (which was necessarily focused on Web Browser SSO).

No, it was just a choice to keep the profile simpler. Conscious decision,
not oversight.

-- Scott