[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML1.x profile of SAML2.0 metadata andAttributeConsumerDescriptor
> I looked over the SAML1.x metadata profile. I notice that > AttributeConsumerDescriptor is left out. Even though the > authentication request doesn't exists, (which can reference > an attribute consumer index) I think it would still be useful. There is no such element any more. What you're referring to is the AttributeConsumerService element, which is inside the SPSSODescriptor. This came up sometime around public review 1 I think, and the problem was the ambiguity in not having metadata pertaining to SSO inside the SSO descriptor. Since that's what was intended, we moved it. > Here is a use case: > The AttributeAuthority advertises one set of attributes it > will release to all trusted SP's. In addition, it can > configure attribute sets specific to the needs of a > particular SP. Configuring these specific attribute sets can > be aided by the AttributeConsumerDescriptor metadata elements > of the SP. That is in fact my use case as well, but it is not a fully interoperable one because the AttributeConsumerService piece is only strictly defined for the SSO profile. The issue of metadata for queries came up and was tabled, essentially, so it would be up to deployments to interpret that data as something applicable to more generalized attribute exchange. I think that's ok, though, because the issue of configuring and supporting attribute release policy at an AA is out of scope for SAML anyway. > This is how I planned to use AttributeConsumer metadata in > SAML 2.0. Or was the AttributeConsumerService only intended > to be used to specify which attributes should be included in > the response to an authentication request? Technically, yes. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]