[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] question on AttributeQuery processing
On Wed, 2007-04-18 at 17:44 -0400, Scott Cantor wrote: > > That's ok. But 'give me A and only A' or 'give me A and I don't care what > else > > allowed by IdP policies' are both filters. > > Well, no. An LDAP filter or SQL where clause does not behave in the way > you're asking about. So that wasn't considered. LDAP filter and and SQL where clause is what an IdP can use to resolve attributes for a subject. They are implementation details, should they drive applications interface? Do you consider this use pattern uncommon Client ask IdP to return the requested attributes for a subject (and provide a value because he wants to be sure the value is in) <Attribute Name="Department"> <AttributeValue xsi:type="xs:string">aDepartment</AttributeValue> </Attribute> IdP return the requested attributes (with the requested value and another value) <Attribute Name="Department"> <AttributeValue xsi:type="xs:string">aDepartment</AttributeValue> <AttributeValue xsi:type="xs:string">anotherDepartment</AttributeValue> </Attribute> If the use pattern is worth considering, how could I redesing the query to encompass the behaviour, that is, IdP is willing to return the requested attribute with the requested value but don't want to hide another value. If it's not worth considering, I stop bothering. > > My question was what about why > > the first one was choosen. An AttributeQuery containing an Attribute X > > containing an AttributeValue Y doesn't asks 'does the subject posses > > attributes X with value Y', with the imposition in section 2.3.2.3 it > > asks 'does the subject posses attributes X with the Y value and only the > > Y value'. > > I think you're mistaking the concept of asking for an assertion with asking > whether a subject possesses a given attribute. They aren't the same at all. > A query in SAML is asking the authority to assert something, not asking > whether something is true independently of that. Right, I expressed uncorrectly, according to the spec, line 1851 the meaning of AttributeQuery is 'return the requested attributes for this subject'. But it doesn't change much. The filter imposes an IdP 'return the requested attribute for this subject with this value and only this value'. Valerio
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]