Shibboleth Developers

[Nate Klingenstein <>]

Shibbolizers,

An idea struck me while trolling through another attribute- 
resolver.xml file and talking to Chad.  Would it be better if  
attribute encoders were maintained in a separate file, like attribute  
filters?

There's a lot of visual clutter that is added by the inclusion of the  
attribute encoders in the middle of attribute definitions.  They're  
very rarely changed by deployers (though new ones are added), while  
other parts of the resolver file, such as data connector dependencies,  
would be changed more often.  Furthermore, they're a distinct part of  
the attribute system, though, and are only used later in the process,  
outside of the resolver itself.

I'd really like to see the encoders placed into a separate attribute- 
encoder.xml file.  An attribute definition would then look like(though  
the syntax might be further collapsible):

    <resolver:AttributeDefinition id="uid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad 
"
        sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
    </resolver:AttributeDefinition>

and the corresponding part of attribute-encoder.xml would look like:

<AttributeEncoder attributeID="uid">

        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder 
"
            name="urn:mace:dir:attribute-def:uid" />

        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder 
"
            name="urn:oid:0.9.2342.19200300.100.1.1"  
friendlyName="uid" />

</AttributeEncoder>

I'd also like the attribute-encoder.xml defaults to be uncommented in  
the distribution.  Since the corresponding attributes are already  
commented out, I can't see any harm from doing so, but it would make  
the IdP more approachable to deployers.

Anyone in favor or against?
Nate.