Josh, thanks.
That explanation helps a lot.
I suggest that there's one case where we might want to come up with a
recommendation (not in aaa-saml) for what mapping to do. The case where
you have a SAML AA but no SAML assertion in the request and need to map
COI-scoped AAA identifiers. I think this case will come up for the
managed portal project we were talking about with per-user COI
membership and entitlements.
Besides that, I think we have things under control.
It seems reasonable to me to commit to option 1 (AAA-style identifiers)
for AAA attributes.
|