Subject Re: use of eduPersonEntitlement
From Ian Young <ian@xxxxxxxxxx>
Date Thu, 16 May 2013 12:13:26 +0200

On 16 May 2013, at 10:43, Peter Schober <peter.schober@xxxxxxxxxxxx> wrote:

> * Niels van Dijk <niels.vandijk@xxxxxxxxxx> [2013-05-16 00:46]:
>> And we are indeed patching so we also allow to *only* release either
>> urn:mace or urn:oid attributes towards an SP
> I don't see how that would be necessary, unless something is still a
> bit off ;)
> According to the MACE-Dir SAML Attribute Profiles[1] -- which specify
> the use of the eduPersonEntitlement attribute for use within SAML --
> the urn:mace:attribute-def:foo names are only to be used with SAML1
> and urn:oid only with SAML2.
> So from the same hub&spoke to the same SP there should only ever be
> one variant, AFAIU.

My understanding of the specs is the same.  Issues like this seem to arise if the IdP encoding the attributes doesn't really distinguish by protocol in its implementation in all the right places.  I have seen a couple of cases like this; I suspect the coders in question found it would be easier to just pass through multiple encodings and hope that the SP would ignore any that were inappropriate than re-architect the IdP.  I find it amusing to picture a pirate saying "and thirdly, Postel's Law is more what you'd call "guidelines" than actual rules".

   -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature