Shibboleth Developers

["Cantor, Scott E." <>]

> * Kristof Bajnok 
> <>
>  [2011-04-07 11:24]:
> > Scott / Steven, could you please summarize what 'isRequired' and
> > 'OR' problems stand for and where the proposed solutions contradict
> > to SAML spec? If there's an archive of the discussion, pointer is
> > welcome.

I have an open AI to document the conclusions of the dev meeting, I apologize 
it's taking me so long to get to.

> Well, if an SP requires ePTId OR ePPN to work (a rather common
> scenario) there is currently no way to express that in the existing
> metadata schema.

The more specific case we focused on is alternate names for things like 
"name", such as displayName, CN, using givenName and sn separately, etc. But 
yes, the ID mess is also an example.

Also, we felt that supporting SAML 1 along side SAML 2 would be useful for 
compatibility, and that makes it worse, since many attributes have different 
wire names across them.

> I though that the proposed way to handle this was to list both and set
> isRequired="false" and document/communicate the either/or OOB.

Right. And the reason for this is that if you *don't* have per-attribute 
filtering, there's no value in distinguishing required and optional, because 
that becomes a sysadmin flag set globally for all intents and purposes. 
That's the opposite of what we want to achieve (getting the sysadmin out of 
the loop).

So our conclusion is avoid the feature and a lot of simple use cases become 
supportable, including attribute aliasing and multi-protocol support.

> I'd also appreciate some more context, why documenting attribute
> requirements in metadata is suddenly something not recommend/BCP, why
> the Shibboleth software should not do something useful with that info,
> etc.pp.

If I gave that impression, I was misinterpreted.

-- Scott