IdP implementation roadmap

Tue Apr 16 12:15:51 EDT 2019

> Step 2: Stop arguing with me that you need to do it, you're 99.9% likely to be wrong.

I don't think I was arguing and I apologize if it came across that way.  There simply exists that 0.1%.  I count 106 unspecifieds in InCommon's metadata, for example.  There are 1247 in metadata on SAMLtest.

> Step 3: If you're in the 0.1%, the you set the nameIDFormatPrecedence property as documented in the wiki topic under "this is the only way to get unspecified to work".

Is it the only way?  Sorry for forgetting this.  I'm not suggesting it's a good idea, but wouldn't it be possible to change in conf/authn/authn-comparison.xml:

    <!-- List of context classes or declarations to ignore if an SP requests them. -->

    <util:list id="shibboleth.IgnoredContexts">
        <value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value>
    </util:list>

I'm not defending the value of unspecified.  The filter remains enabled on SAMLtest.  I see a -lot- of requests for it come through, and a corresponding lot of assertions with it replaced with a transientId, and I worry about tester confusion since most other implementations, as you stated, genuinely don't care.