Subject: Comment on metadata-02e...
In the update for SPSSODescriptor, the <AttributeConsumingService> states:
“At most one <AttributeConsumingService> element can have the attribute isDefault set to
true. When multiple elements are specified and none has the attribute isDefault set to true, then the
first element whose isDefault attribute is not set to false is to be used as the default. If all elements
have their isDefault attribute set to false, then the first element is considered the default.”
I think I disagree with the last sentence. I think that if no element is marked as the default, there should be NO default. Since the indices are used in an AuthnRequest so that an SP can request one collection of attributes per transaction, I don’t see a way for me to request that NO attributes be sent in the response assertion. If I don’t provide an index in my AuthnRequest, isn’t it always going to send either the first set (if all “isDefault” values are false), or the first one it finds with isDefault set to true?
I need a way to say that some applications might not need attributes at all, so don’t bother sending them, while others do need them.
Am I missing something?