Shibboleth Developers

["Scott Cantor" <>]

> - the effect of isPassive="true" in consent-based SSO

Presumably it would be rare, but the consent engine interaction with the IdP
has to be capable of honoring it.

> - the fact that persistent name IDs need to be redundantly asserted as
> attributes

Not much we can do about it, other than hold the line where possible against
using anything but transient and persistent. That limits the problems.

> Speaking of persistent identifiers, how does the SP ask for a
> "persistent, non-reassigned identifier"? There are a number of
> attributes that satisfy that requirement, so how does the SP encode
> its requirement for one of them?

Many services can't be convinced to care about the things we might think are
important. If they're willing to live with OpenID, then we have to stop
boiling the ocean to satisfy them.

But if I was trying to address this within the constraints that exist, I'd
list the possible identifier attributes as optional alternatives and just do
the error checking at the application.

-- Scott