Re: [saml-dev] SAML 1.1 Multiple Attribute Statement

[Naveen <webnaveen@gmail.com>]

Thanks all for the input.

I see couple of scenarios where you could use more than one
AttributeStatement but nothing concretely say you should.

I am also hearing for interoperability it is better to avoid multiple
AttributeStatement. I would appreciate if you could provide more
information on how off-the-shelf Federation product/Shibboleth handles
multiple AttributeStatement .

Let’s take the scenario in this email, if I have to mention the source
from where the attributes was read in the AttributeStatment, What
would be the best place to specify that? (qualifier ??), so that the
SP implementation can make a design accordingly.

or if I want to provide UserProfile attributes in one
AttributeStatement, UserRole in another and User Organization in
another AttributeStatement. Is it possible to tell the SP by any type
of qualifier that this AttributeStatement contains UserRole..etc.

Tom, I see the “SubjectStatementAbstractType” under AttributeStatement
has been taken out in SAML v2.0 which avoids my multiple Subject
confusion.


On Tue, Mar 3, 2009 at 9:59 AM,  <robert.philpott@rsa.com> wrote:
> I have seen situations where an attribute authority may obtain attributes from multiple attribute "repositories", e.g. some from a SQL DB, some from an LDAP repository, and others from dynamic containers such as session cookies.  They are all for the same subject. Yes they could be aggregated into a single attribute statement, but it might be easier for the implementation if it lets the "container-specific" attribute processors build their individual statements for the subject. IMO, implementations should correctly handle multiple attribute statements (assuming the same subject).
>
> Semantics for assertions that have multiple statements with different subjects is undefined by SAML.
>
> Rob Philpott
> RSA, the Security Division of EMC
> Senior Technologist | e-Mail: robert.philpott@rsa.com | Office: (781) 515-7115 | Mobile: (617) 510-0893
>
>
>> -----Original Message-----
>> From: Tom Scavo [mailto:trscavo@gmail.com]
>> Sent: Tuesday, March 03, 2009 9:49 AM
>> To: Naveen
>> Cc: saml-dev@lists.oasis-open.org
>> Subject: Re: [saml-dev] SAML 1.1 Multiple Attribute Statement
>>
>> On Tue, Mar 3, 2009 at 8:31 AM, Naveen <webnaveen@gmail.com> wrote:
>> >
>> > When should I use multiple AttributeStatement in SAML 1.1?
>>
>> Barring limitations with the implementation, this is rarely done.
>>
>> > One of our customer requirements is to send each Attribute in an
>> > individual AttributeStatement and with the same Subject.
>>
>> Why?
>>
>> > I believe if
>> > the Subject is different then it need to be in its own
>> > AttributeStatement.
>>
>> Multiple Subjects in a single SAML V1.1 assertions should be
>> identical.  This is the gist of the Subject-based Profiles for SAML
>> V1.1 Assertions:
>>
>> http://wiki.oasis-open.org/security/SamlSubjectProfiles
>>
>> The reason is that there is only one Subject in a SAML V2.0 assertion,
>> which indicates the way it was meant to be in SAML V1.1.
>>
>> > In what scenario I should use multiple AttributeStatement?
>>
>> Avoid multiple <AttributeStatement> elements if possible, for the sake
>> of interoperability.
>>
>> Tom
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
>> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
>>
>
>