On 24 Feb 2010, at 10:45, Alistair Young wrote:
> Does anyone know of any possible access implications of broadcasting support for SAML2 in IdP metadata? Most entities at the moment use "shibboleth" attributes, i.e. eduPerson but these don't exist in the SAML2 attribute profile. The same values are sent in different formats from eduPerson.
> Just wondering if this may have an impact on personalisations at SPs.
There's a section (220.127.116.11) in the UK federation's Technical Recommendations for Participants that tells SP deployers how to future-proof against this. SPs that have implemented that section of the TRP should be in a pretty good position to act on each of the three different representations of something like ePTI.
The gist is that if you are an SP and you receive a "legacy" scoped ePTI then you shouldn't use it as-is, but transform it into something equivalent to the SAML 2.0-based name identifier representations. As remarked by others in this thread, both the Shibboleth and OpenAthens SPs give deployers the tools to do this. No guarantees that any particular SP has followed the recommendation, though, although I know that at least some have done so.