SOAP SLO handler: what would it be used for?

Cantor, Scott cantor.2 at
Wed Apr 16 15:31:02 EDT 2014

On 4/16/14, 3:05 PM, "Eric Goodman" <Eric.Goodman at> wrote:

>As I understood it:
>With SAML1 artifact resolution, the attributes "query" is always preceded
>by an authentication event.

There isn't really a query with artifact flows. If there is, things are
really screwed up. SAML 1 behavior in Shibboleth was not defaulted to
artifacts, though they're supported. Artifacts are a different profile
from use of attribute query.

>With SAML2 attribute queries, I thought the IdP could be used as an
>non-authenticating attribute authority (i.e., in a circumstance where
>there was no preceding authentication event). Is that not true?

It's true with either SAML version, but if you have that use case, you
shouldn't need somebody to tell you that you do. This is why my original
answer to this kind of question stands: you run the services you need, and
only you can know what those are. And any decision you make now has to be
subject to future change when the answers change.

-- Scott

More information about the users mailing list