IdP Clustering and CAS
peter.schober at univie.ac.at
Fri May 30 07:01:34 EDT 2014
Just to expand one item a bit from what Michal said:
* Michael A Grady <mgrady at unicon.net> [2014-05-29 01:29]:
> - if you need to still support SAMLv1 SPs, and thus want to support
> attribute queries (back channel), then use stateless clustering
> with the CryptoTransientId.
"Thus" suggests a logical or factual dependency on attribute queries,
but I have yet to see a SAML1-only SP that does not support attributes
pushed during SSO as well. So from my experience you can have
SAML1-only SPs and still avoid attribute queries -- provided exposing
attributes to the web browser is acceptable.
In our case those SAML1-only SPs were all commercial library services
and those only get the lib-common-terms attribute, exposure of which
to the browser is not an issue.
We're not expecting any more/new SPs which are SAML1-only and the
SAML1-only ones are getting fewer with time ever so slowly.
More information about the users