[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Attribute equality during AttributeQuery
how do you determine which profile is being used?In the Attribute Authority metadata it is possible to list the supported AttributeProfiles, however that's only a MAY in the spec (SAML profile 6.5).
I'm thinking that it is up to the Attribute Authority to say which Attribute Profile it supports, so let's assume that my Attribute Authority supports the Basic profile. Now if this AA receives an AttributeQuery with an Attribute that has no NameFormat defined, then per the Basic profile I should do the comparison only using the Name attribute, right?
(or is this the wrong way around and I should look at the received NameFormat, determine which profile it belongs to, and then use the comparison rules corresponding to that NameFormat when the AA wants to determine whether it can collect the requested Attributes for the AttributeQuery?)
If my AA supports more than one attribute profile for the sake of complexity, how should it determine which profile's attribute name comparison rules it should use?
In other words is there a way to tell from an attribute query which attribute profile should be used, or is this something the server should decide on its own?
Thanks, Peter 2014.07.09. 15:32 keltezéssel, Cantor, Scott írta:
On 7/9/14, 5:54 AM, "Peter Major" <peter.major@forgerock.com> wrote:I feel that the NameFormat equality here is implicit as I assume you can only use the comparison rules once it is established that these attributes are using the same attribute NameFormat. Is that correct?Not exactly; it's implicit because the NameFormat is already fixed by those attribute profiles. If the NameFormat wasn't correct, you wouldn't be governed by any of those sections to start with.The question is really: if I have locally my Attribute Authority configured to deal with Attribute queries against given NameFormat and Attribute name, then what should happen if I receive an AttributeQuery requesting the correct name, but without the NameFormat defined?You shouldn't treat it as equivalent, strictly speaking.So I suppose if the configuration explicitly referred to the unspecified attrname-format then the two attributes should be considered equal, otherwise it should be handled as an "unrecognized" attribute, right?That's defensible, yes. The fact is that there is no use case for using any of the unspecified constants. They're an interop copout and should have been left out of the standard. Another argument I lost. -- Scott --------------------------------------------------------------------- To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]