Shibboleth Developers

[Karsten Huneycutt <>]

Hello --

If the goal is ready access to data connector definitions for deployers, why 
not break those out into a separate file instead?  

My concern with splitting these two definitions apart centers around adding 
new attributes to be resolved and having to add this in two separate yet very 
coupled files.  Plus, these two functions, while not necessarily the same in 
code, are logically part of the same attribute definition -- one won't 
function without the other.

Is there any way instead to reduce the verbosity of the encoders, and thereby 
reduce the "clutter" associated with them?

KH

On 02 Feb 2010, at 16:32 , Nate Klingenstein wrote:

> Shibbolizers,
> 
> An idea struck me while trolling through another attribute-resolver.xml 
> file and talking to Chad.  Would it be better if attribute encoders were 
> maintained in a separate file, like attribute filters?
> 
> There's a lot of visual clutter that is added by the inclusion of the 
> attribute encoders in the middle of attribute definitions.  They're very 
> rarely changed by deployers (though new ones are added), while other parts 
> of the resolver file, such as data connector dependencies, would be changed 
> more often.  Furthermore, they're a distinct part of the attribute system, 
> though, and are only used later in the process, outside of the resolver 
> itself.
> 
> I'd really like to see the encoders placed into a separate 
> attribute-encoder.xml file.  An attribute definition would then look 
> like(though the syntax might be further collapsible):
> 
>    <resolver:AttributeDefinition id="uid" xsi:type="Simple" 
> xmlns="urn:mace:shibboleth:2.0:resolver:ad"
>        sourceAttributeID="uid">
>        <resolver:Dependency ref="myLDAP" />
>    </resolver:AttributeDefinition>
> 
> and the corresponding part of attribute-encoder.xml would look like:
> 
> <AttributeEncoder attributeID="uid">
> 
>        <resolver:AttributeEncoder xsi:type="SAML1String" 
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>            name="urn:mace:dir:attribute-def:uid" />
> 
>        <resolver:AttributeEncoder xsi:type="SAML2String" 
> xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>            name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
> 
> </AttributeEncoder>
> 
> I'd also like the attribute-encoder.xml defaults to be uncommented in the 
> distribution.  Since the corresponding attributes are already commented 
> out, I can't see any harm from doing so, but it would make the IdP more 
> approachable to deployers.
> 
> Anyone in favor or against?
> Nate.
> 

-- 
Karsten Huneycutt
ITS Identity Management, UNC Chapel Hill