Shibboleth Developers

[Chad La Joie <>]

The behavior of the isRequired attribute and what to do if all required 
attributes are not returned is given in the SAML spec, so there is no 
ambiguity there.

On 9/25/10 10:58 AM, Tom Scavo wrote:
> > I don't think we'll achieve any consensus even within a federation on
> > exactly what an IdP should do in particular cases.
>
> I don't doubt consensus will be difficult. The incentive for trying to
> specify IdP behavior boils down to the isRequired attribute on the
> <md:RequestedAttribute>  element. Unless we provide some guidance, SP
> operators will have trouble with that, I think. It's a support issue
> really, and one I'd rather avoid.
>
> Like it or not, the federation will be forced to articulate the
> meaning of the isRequired attribute, so the question is whether or not
> the IdP has the right knobs (as you say) to support deployments within
> any given federation.
>
> As an example, an IdP behavior that will resonate with SP operators
> is: either the IdP returns ALL required attributes or no attributes
> whatsoever. If "no attributes" means an error condition, that's fine I
> guess. As long as the SP operator understands the consequences of
> setting isRequired="true", we should be okay.
>
> Tom

--
Chad La Joie
http://itumi.biz
trusted identities, delivered