Evolving Attribute Release Policies for campuses

Cantor, Scott cantor.2 at osu.edu
Wed Apr 6 10:49:49 EDT 2016

On 4/6/16, 10:34 AM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

>I, too, am rather bothered by the apparent contradiction for attribute release for R&S category SPs. I'm told to release the whole bundle of seven attributes, but then an R&S SP enters RequestedAttributes into metadata which may or may not be the same seven. Which am I supposed to follow?

The R&S rule. If they need more than that, they would be expected to negotiate for them out of band (or sure, in band if you want, but either way it has nothing to do with the bundle). If they need less, nothing breaks.

> Do I send attributes that the SP may not want just because their R&S and I'm supposed to release the entire bundle?

I would, yes. You don't have to, but if you don't, you should not be tagged as supporting it.

> Or do I only send what they've marked as requested, which I think technically breaks my obligation as an R&S-adopting IDP.

It doesn't technically break it, it *does* break it. The text on that is not open to this interpretation. You cannot tag yourself R&S if you do that. That is fundamental to the thinking that led to this whole area of work.

Note that the subset listed is *not* the whole bundle. Affiliation is not required. That does matter. OSU doesn't release affiliation by default now at all, to anybody, because I believe it's frequently misused for authorization and I don't want to facilitate that. If the text said I had to, I would follow it (either releasing it or untagging our IdP).

-- Scott

More information about the users mailing list