[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] underspecified behavior forAuthenticationQuery ?
"Mishra, Prateek" wrote: > > my understanding is that the correct response is > a), success, with an additional (optional) > <statusMessage> indicating that no assertions > could be returned. Any other error code indicates > an *error*, which is not the case here. > > I could not find an explicit statement saying this in > the core-27. Yes, this is an ISSUE (even tho this thread doesn't have "ISSUE" in the Subject: field) with core-27. However, I did just notice where it is tangentially specified, see lines 979-981: NOTE: Inability to find assertions that meet <RespondWith> criteria should be treated identical to any other query for which no assertions are available. In both cases a status of success would normally be returned in the Response message, but no assertions to be found therein. > My suggestion would be to add a > section titled "Processing Rules for Queries" with > the language: > > > If the responder cannot find any assertions that satisfy the > constraints expressed by a query, the <saml:Response> element > MUST include a <saml:StatusCode> with value "Success". It MAY return > a <saml:StatusMessage> with additional information. > > My suggestion would be to place this in section 3.4.4, > with the current contents of 3.4.4 placed in a sub-section > (3.4.4.1), as these are an additional elaboration of the > query processing rules. I think this is a good start, but there's additional aspects to address. One aspect relates to "assertions" and "statements". We need to specifiy the behavior in relation to both, since according to section 3.2.1.1 a responder may return "an assertion with (multiple) statement(s)". My reading of section 3.2.1.1 has me believing that core-27 effectively specifies that a Responder can return only one assertion in response to a given request, because all the values of RespondWith specify return of "an assertion", and the specified default behavior if RespondWith is absent from the request is the behavior associated with a RespondWith value of #SingleStatement. Given that, I'd suggest editing the above suggestion to read.. If the responder cannot provide an assertion with any statement(s) satisfying the constraints expressed by a query, the <saml:Response> element MUST NOT contain an <assertion> element and MUST include a <saml:StatusCode> with value "Success". It MAY return a <saml:StatusMessage> with additional information. The "...any statement(s)" is subtle-but-important, because my reading leads me to believe that in the case of an AttributeQuery request, a responder might return a subset of the attributes requested, and thus there might be ~some~ statements satisfying part of the request in the returned assertion. JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC