RE: [saml-dev] question on AttributeQuery processing

["Scott Cantor" <cantor.2@osu.edu>]

> That's ok. But 'give me A and only A' or 'give me A and I don't care what
else
> allowed by IdP policies' are both filters.

Well, no. An LDAP filter or SQL where clause does not behave in the way
you're asking about. So that wasn't considered.

> My question was what about why
> the first one was choosen. An AttributeQuery containing an Attribute X
> containing an AttributeValue Y doesn't asks 'does the subject posses
> attributes X with value Y', with the imposition in section 2.3.2.3 it
> asks 'does the subject posses attributes X with the Y value and only the
> Y value'.

I think you're mistaking the concept of asking for an assertion with asking
whether a subject possesses a given attribute. They aren't the same at all.
A query in SAML is asking the authority to assert something, not asking
whether something is true independently of that.

The point of the filter is to optimize the IdP's work. If the relying party
is interested in all the values the authority is willing to assert, it
doesn't provide a filter.

-- Scott