An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Peter Schober <peter.schober AT univie.ac.at> [2020-05-15 17:30]:
> That doesn't mean that wide-scale real-world usage of WS-* on top of
> SAML-centric federations will just work, though. E.g. there are good
> reasons to filter out stuff that MS-ADFS expects to find in SAML 2.0
> Metadata for non-SAML use and I know of a few federations (mine
> included) that started doing just that in order to protect their SAML
> protocol-using members from potential breakage.
> (I can provide pointers if you're interested in that particular
> tangent, even though this is not related to eduGAIN policy.)

To close off that loop, too:
https://lists.geant.org/sympa/arc/edugain-discuss/2014-11/msg00031.html

Find the explanation for all of that below, in the words of a much
wiser man I cannot attribute this to due to REFEDS FOG rules:

> The reason for this rather harsh treatment is that RoleDescriptor is
> one of the very few places in the SAML schema which doesn't allow
> for lax validation. That means that if you republish this construct
> to your customers, if ANY of them schema-validate, that validation
> will fail unless they have the specific schema available. Put
> another way, anyone who is already validating and doesn't have the
> schema will find that their validation will fail if any of these
> appear in the aggregate.

Cheers,
-peter