Re: [saml-dev] SAML2 metadata for a SAML1 IdP

["Tom Scavo" <trscavo@gmail.com>]

On 7/1/07, Scott Cantor <cantor.2@osu.edu> wrote:
>
> The definition of an IdP in core (ignoring the glossary) is anything that
> supports a SAML AuthnRequest. If something supports the moral equivalent,
> then I would say it's an IdP for the purposes of metadata usage.

There's the rub.  The IdPs I have in mind don't support SAML protocol
messages, they simply issue assertions.  The protocols and bindings
used to transmit the assertions to SPs are totally outside the SAML
specification.

> Nothing breaks based on whether something chooses to reuse an existing
> descriptor, as long as the rest of the rules are followed. Either the
> protocol or Binding strings should prevent anything from breaking existing
> software.

From that point of view, I guess I could get away with using
IDPSSODescriptor/SingleSignOnService, even though the words are a bit
of a conceptual stretch.

> Or you can take the conservative approach and just define a new
> role. The differences are just cosmetic.

Hey, if I can avoid defining a new role, why not?

Tom