* Alistair Young <[log in to unmask]> [2010-02-24 11:52]:
> Does anyone know of any possible access implications of broadcasting
> support for SAML2 in IdP metadata? Most entities at the moment use
> "shibboleth" attributes, i.e. eduPerson but these don't exist in the
> SAML2 attribute profile. The same values are sent in different formats
> from eduPerson.
> Just wondering if this may have an impact on personalisations at SPs.
Indeed the MACE-Dir SAML Attribute Profiles[1] differ in that for
expressing eduPerson[2] attributes in SAML2 protocol messages
OID-style naming is to be used, not the urn:mace:dir:attribute-def:
style attribut names used with SAML1.x:
"The legacy names assigned for use with the SAML 1.x attribute
profile MUST NOT be used with this profile." (3.2, p.11)
At least the Shibboleth SP accepts several forms of these and by
default populates the same local attribute from those. Likewise,
simpleSAMLphp allows to map different attribute names to the same
attribute.
Can't speak for other SAML SP implemenations (e.g. OpenAthens),
though.
-peter
[1] http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200804.pdf
[2] http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200806.html
--
[log in to unmask] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
|