So, the current GSS EAP naming attributes document says that if the mechanism performs an attribute query, the results of that attribute query are made available using the same gss-api attribute names as if they were present in the assertion.
This was kind of a hack to support something that our implementation does and stems from a past misunderstanding on my part about how Shibboleth SP works. My assumption was that Shibboleth stuck all the SAML attributes in the same bucket. What actually happens is that Shibboleth has a complex configuration and you can map attributes from SAML assertions into the local attribute name space. Alternatively you can ask Shibboleth to go perform a SAML attribute query. I don't think the IETF specs need to talk about attribute query. If attribute query happens it will be something the acceptor does to itself. It will require configuration and as part of configuring it to happen you can configure what attributes get mapped to. however since I'm removing something I want to confirm with the WG. --Sam _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
