Re: [security-services] XPath Attribute Profile

[Cameron Morris <cmorris@novell.com>]

On Wed, 2005-06-01 at 14:55 -0400, Conor P. Cahill wrote:
> 
> Conor P. Cahill wrote on 6/1/2005, 2:49 PM:
> 
>  > Cameron Morris wrote on 6/1/2005, 2:30 PM:
>  >
>  > > So you are also proposing that the attributes in a query can be xpath,
>  > > and the asserted attributes follow your proposal. Correct?
>  >
>  > Correct.
> 
So in addition to the XPath attribute profile - used only for queries -
you'd like something like an "XML document attribute profile" to define
the attribute name as a document or document namespace - used for
attribute statements in assertions.

> PS.  Note that there does not *have* to be a real query involved (e.g.
> the IdP can have some out-of-band knowledge that the SP would want
> some data returned and can return it as if the SP had queried it).
> 
> Not that their can't be a query, just that there are situations
> where there is not an explicit query and the IdP may return
> such attributes in an AuthnResponse.

In addition, the authnRequest will either reference an attribute
consuming service index or the IDP could use the default attribute
consuming service published in metadata for the SP.  If xpath attributes
are not used for assertions, I still assume that XPath attributes would
apply to attribute consuming services.


- Cameron