[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] question on AttributeQuery processing
> That's ok. But 'give me A and only A' or 'give me A and I don't care what else > allowed by IdP policies' are both filters. Well, no. An LDAP filter or SQL where clause does not behave in the way you're asking about. So that wasn't considered. > My question was what about why > the first one was choosen. An AttributeQuery containing an Attribute X > containing an AttributeValue Y doesn't asks 'does the subject posses > attributes X with value Y', with the imposition in section 2.3.2.3 it > asks 'does the subject posses attributes X with the Y value and only the > Y value'. I think you're mistaking the concept of asking for an assertion with asking whether a subject possesses a given attribute. They aren't the same at all. A query in SAML is asking the authority to assert something, not asking whether something is true independently of that. The point of the filter is to optimize the IdP's work. If the relying party is interested in all the values the authority is willing to assert, it doesn't provide a filter. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]