meta attributes (was: IdPv3 - eduPersonTargetedID - How to define and release this attribute?)

Cantor, Scott cantor.2 at
Mon Apr 4 13:01:55 EDT 2016

> How is this different than defining a new attribute "epSUID" and defining the
> contents in exactly the same manner? I understand that the tooling is
> different in terms of what's in meta data and what's released on the wire,
> but configuring an IdP to understand a meta attribute vs. configuring it to
> release a new attribute name seems about equivalent to me.

The basic difference is SPs. New attributes mean you touch them, these kinds of abstractions mean you don't.

> But again, I'm not understanding the pragmatic difference between defining
> and supporting meta-attributes vs. defining a "new attribute type" given that
> either appears irrelevant if not understood and supported by the IdP.

One sort of difference is if you move toward remotely supplying attribute release policy, you could define the meta-attribute "look aside" behavior centrally, sort of.

> (n.b., on the definition: "persistent" in SAML speak really calls in the sense of
> "opaque" for per the definition of the nameid type. It's clear that you are not
> intending this; however this eventually gets defined I think it's worth making
> a note of that distinction).

It was gratifying today that in an IETF session I sat in on, the same obnoxious, odious little troll that made that misuse of terminology necessary in SAML is still hanging around raising idiotic semantic arguments over language in other standards meetings.

-- Scott

More information about the users mailing list