[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AttributeDesignator vs Attribute
Maybe this is coming too late, but it occurs to me that there are use cases where a requester (or metadata, or some other vehicle) might want to communicate not only a set of SAML Attribute names but also include values as input to the SAML responder or a profile, or whatever. I can see this obviously slides close to a number of slopes, such as expressing access policy, doing complex attribute queries, etc, but I'm wondering if we don't gain some measure of actual simplification by eliminating AttributeDesignator and just using Attribute consistently as a means of identifying attributes or optionally their values. I don't see that much room for confusion in this except in terms of defining matching rules, but that's likely to be an attribute-specific sort of thing anyway, and not anything to be addressed by SAML. An example use case for this is the case of an attribute that has a large number of values but only a small number (possibly just one) are of interest to a consumer. Metadata or an AttributeQuery could express this by just including the AttributeValue, something you can't do today because of the separate designator element. Failing this idea, I'd want to propose putting Attribute instead of AttributeDesignator into metadata to support that use case, but thought it was worth asking about in general. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]