This is not essential work, but in porting profile configurations to the SP, I noted that a number of assertion-specific settings are up on the SAML/SAML2ProfileConfiguration base interfaces rather than factored out into an interface specific to the profiles that actually consume or produce assertions.
It just leads to oddities like the logout profile configurations having unused settings, and I wouldn’t do it this way now, but it may not be worth the effort to fix.
Documentation is "mostly" updated to reflect the relocated and removed settings. One outlier is that I deprecated the old additionalAudiencesForAssertion setting, and aligned it with the property name for metadata tagging I had used, which was assertionAudiences. I prefer additionalAudiences, but I already had that tag name reserved so better to leave it.
Scott Cantor
February 16, 2023 at 7:54 PM
I’m addressing this as part of refactoring things since I’m moving things around anyway.
So far, I’ve eliminated the IdP-specific SAML 2 profile interface, and demoted various settings to SSO only or (for encryption) to a new SAML2AssertionProducing interface. There will also be a SAML2AssertionConsumingInterface shared with the SP and some settings may get moved there.
So far the main impact is about 3-4 settings disappearing from the top level, and I can’t really see why anybody’s config would have them there since they don’t make sense to begin with.
This is not essential work, but in porting profile configurations to the SP, I noted that a number of assertion-specific settings are up on the SAML/SAML2ProfileConfiguration base interfaces rather than factored out into an interface specific to the profiles that actually consume or produce assertions.
It just leads to oddities like the logout profile configurations having unused settings, and I wouldn’t do it this way now, but it may not be worth the effort to fix.