Shibboleth Developers

[Jim Fox <>]

No, not for me.  I see the resolver and filter as completely
distinct.  For one, the resolver is organized by attribute; the
filter is commonly organized by relying party, or sets of relying
parties.

We are considering using groups to manage our filter policies.
Each attribute definition gets a corresponding group.  If a relying
party is in the group it gets the attribute.  This allows people,
such as the registrar, to easily manage attribute release without
having any knowledge of shib or xml -- they need to interact only
with the groups service.  A separate filter file is convenient for
this automation.

If we continue on the group path we would use multiple filter files:
one for fixed or unusual policies; another for the group policies.

Jim


> Jim, for you, would you think having the attribute filters be in the
> attribute definition was a good thing?  In order to further consolidate
> things?
>
> On 2/2/10 5:07 PM, Jim Fox wrote:
> > I like seeing the entire definition in one place, so '-1' I guess.
> >
> > Jim
> >
> > > Anyone in favor or against?
> > > Nate.