Chad La Joie wrote:
The biggest thing was the havoc it caused with other SAML software. A mistake that we've made numerous time in Shibboleth is assuming that other implementors aren't taking shortcuts. In this case, we assumed that because an AttributeValue could, in theory, contain any type of complex data implementations would either provide a way of handling such data or provide a good way for applications to get at the unaltered data.
this is in fact a symptom of a much larger common problem (which originated with LDAP), which is, encoding type information into the value field, instead of creating a new type or sub-type. regards David Neither proved to be true. Most SAML implementations can only
really support strings and will totally ignore any type indicator, some (ADFS) will even error out in some cases if you send it more complex data.
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************