* Alistair Young <[log in to unmask]> [2010-10-22 17:15]:
> What would be best practice for an IdP which is using SAML2 WBSSO
> and wants to maintain continuity of service with service providers?
> i.e. it's using shibboleth just now with the simple shibboleth
> attribute naming conventions (urn:mace:dir ... edu*)
For all eduPerson-defined attributes this is explicitly specified in
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200804.pdf
E.g. "The legacy names assigned for use with the SAML 1.x attribute
profile MUST NOT be used with this profile." (where "legacy names" means
urn:mace:*)
> should it use the full blown SAML2 attribute naming convention:
> urn:oasis:names:tc:SAML:2.0:attrname-format:uri
Yes.
> or the more "shibby" type version:
> urn:oasis:names:tc:SAML:2.0:attrname-format:basic
No idea what's "shibby" about that and IMHO there is no reason at all
to ever use basic attribute names on the wire (inside SAML assertions).
Shibboleth service providers (as well as others, e.g. SimpleSAMLphp)
come with a mapping of urn:oid:... valued attributes out of the box
(so the application only ever sees the mapped value, e.g. "email"),
but this is only after everything has been recieved, decrypted and
decoded and data is finally exported to the application.
-peter
|