[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: IdP Clustering and CAS
From:       Peter Schober <peter.schober () univie ! ac ! at>
Date:       2014-05-30 11:01:34
Message-ID: 20140530110134.GH28917 () aco ! net
[Download RAW message or body]

Just to expand one item a bit from what Michal said:

* Michael A Grady <mgrady@unicon.net> [2014-05-29 01:29]:
>  - if you need to still support SAMLv1 SPs, and thus want to support
>  attribute queries (back channel), then use stateless clustering
>  with the CryptoTransientId.

"Thus" suggests a logical or factual dependency on attribute queries,
but I have yet to see a SAML1-only SP that does not support attributes
pushed during SSO as well. So from my experience you can have
SAML1-only SPs and still avoid attribute queries -- provided exposing
attributes to the web browser is acceptable.
In our case those SAML1-only SPs were all commercial library services
and those only get the lib-common-terms attribute, exposure of which
to the browser is not an issue.
We're not expecting any more/new SPs which are SAML1-only and the
SAML1-only ones are getting fewer with time ever so slowly.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]