OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML 1.1 Multiple Attribute Statement

I have seen situations where an attribute authority may obtain attributes from multiple attribute "repositories", e.g. some from a SQL DB, some from an LDAP repository, and others from dynamic containers such as session cookies.  They are all for the same subject. Yes they could be aggregated into a single attribute statement, but it might be easier for the implementation if it lets the "container-specific" attribute processors build their individual statements for the subject. IMO, implementations should correctly handle multiple attribute statements (assuming the same subject).

Semantics for assertions that have multiple statements with different subjects is undefined by SAML.

Rob Philpott 
RSA, the Security Division of EMC
Senior Technologist | e-Mail: robert.philpott@rsa.com | Office: (781) 515-7115 | Mobile: (617) 510-0893


> -----Original Message-----
> From: Tom Scavo [mailto:trscavo@gmail.com]
> Sent: Tuesday, March 03, 2009 9:49 AM
> To: Naveen
> Cc: saml-dev@lists.oasis-open.org
> Subject: Re: [saml-dev] SAML 1.1 Multiple Attribute Statement
> 
> On Tue, Mar 3, 2009 at 8:31 AM, Naveen <webnaveen@gmail.com> wrote:
> >
> > When should I use multiple AttributeStatement in SAML 1.1?
> 
> Barring limitations with the implementation, this is rarely done.
> 
> > One of our customer requirements is to send each Attribute in an
> > individual AttributeStatement and with the same Subject.
> 
> Why?
> 
> > I believe if
> > the Subject is different then it need to be in its own
> > AttributeStatement.
> 
> Multiple Subjects in a single SAML V1.1 assertions should be
> identical.  This is the gist of the Subject-based Profiles for SAML
> V1.1 Assertions:
> 
> http://wiki.oasis-open.org/security/SamlSubjectProfiles
> 
> The reason is that there is only one Subject in a SAML V2.0 assertion,
> which indicates the way it was meant to be in SAML V1.1.
> 
> > In what scenario I should use multiple AttributeStatement?
> 
> Avoid multiple <AttributeStatement> elements if possible, for the sake
> of interoperability.
> 
> Tom
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]