RE: [imi] RE: Proposed claim encoding profile for SAML 1.1 tokens

["Scott Cantor" <cantor.2@osu.edu>]

Anthony Nadalin wrote on 2009-08-28:
> I think there are a few problems, as it does not explicitly state that the
> "\" at the end is required.

Without having looked, I assumed it wasn't, so definitely needs clarifying.

> Also the language is too laxed for
> interoperability, this seems to be caused by the desire to have some level
> of co-existence with the SAML 2.0 profile, which may not be the best thing
> to do

My general inclination is to agree that as it's expressed, it seems to
really be mandating what I consider to be suboptimal behavior, rather than
what would be desired behavior. It would be one thing to say you MUST do X
while you SHOULD support Y, where Y is the thing to stop doing. Otherwise it
seems like you probably just want to carve out a URN exception and leave
URLs as is.

Obviously that's not what I would do, but if you're insisting on
compatibility with code written against a non-existent profile, there's not
much else to be done.

With regard to the references, the document you really want on that is here:

http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-
200804.pdf

That would be a better reference than the NIH wiki topic I think you
included.

Something else unrelated that comes to mind is perhaps adding something
about use of xsi:type to align it to the SAML 2.0 language about not using
that other than with built-in XSD types. I doubt it will come up much, but
it wouldn't hurt to take care of that up front while you're writing
something up.

-- Scott