> I poked around for SAML 1.1 standards docs, and I didn't find anything that > differentiated between "Person Attributes" and "Authentication Attributes" > like the CAS model does.
That was my only concern. We've been loose with SAML to date, and I'd be concerned to further abuse the standard. If an attribute statement doesn't strictly define attributes about the principal described by the NameIdentifier in the Subject, then I have no concerns with the approach. Indeed it would likely simplify a number of use cases (including ours). > Is this violating any design principles by > attaching credential-derived attributes to the principal? Not that I'm aware of. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
