> At the risk of generalising, I think it is interesting to consider
> whether we can extrapolate from today's Web SSO practices,
> particularly as in the use-cases we're not using SAML for
> authentication (where we might care about LoA etc); only as a source
> of attributes. The SAML IdP, consequently, says what goes and what doesn't
and
> the request is moot.
Well, it's not moot because of the identifier question, but yes, I thought
about mentioning that.
The issues there are essentially whether users can consent in real time,
and/or whether requirements from the service's end vary dynamically. Without
one of those cases, you get pretty much nothing from requesting specific
attributes, and in fact the Shibboleth IdP doesn't currently handle queries
that specify them. (It should/will at some point soon.)
-- Scott
|