> Some folks from Microsoft I talked to after the Kerberos conference that
> long term services will need to request specific attributes. One issue
> is that the number of attributes available or that could be expected to
> be computed is far larger than you'd like to send.
In theory, but rarely in practice, so much so that the IdP code is designed
in such a manner that specifying what you want to get back isn't going to
affect what it "computes". It just further filters what it would release.
Partly that's because scriptlets and other methods of computing attributes
make it a non-deterministic (or at least hard) problem to answer what set
you need to compute to supply what you're asked to release.
> So in full generality you have:
> * What the service would like to know
> * What the IDP is willing to release
> * What the user wants the IDP to release
I agree that in terms of architecture/design, yes, they're all relevant. In
practice, the two factors I named are in my experience the main reasons why
it's more than a nice to have to be able to specify them in a query.
-- Scott
|