security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: AuthnQuery filters
- From: Thomas Wisniewski <Thomas.Wisniewski@entrust.com>
- To: SAML <security-services@lists.oasis-open.org>
- Date: Tue, 21 Feb 2006 10:36:54 -0500
Title: Message
The rules
around using the SessionIndex and RequestedAuthnContext filters seems unclear in
the sense that they suggest that at least one AuthnStatement element in the
set of returned assertions MUST contain a match to the filter. That's fair
enough, but it then goes on to say, it is OPTIONAL for the complete set of all
such matching assertions to be returned.
Does "all such
matching assertions" imply matching the filter. As in all returned
AuthnStatement elements will match the filters. If so, why not just say
all AuthnStatement elements in the set of returned assertion MUST contain
a match to the filters (if filters are supplied). Otherwise perhaps
change the wording of "all such matching assertions" to something like "of other
assertions"
But another
way, consider a query that has a SessionIndex and RequestedAuthnContext. If
there is one authn that matches the RequestedAuthnContext and a completely
different authn that contains the SessionIndex, and yet a third authn that
does not match the RequestedAuthnContext or has a SessionIndex, what could be
returned?
a) nothing since
both filters are not matched by a single authn.
b) the first two
can be returned.
c) all three can
be returned.
Thanks, Tom.
Thomas Wisniewski
Software Architect
Phone: (201)
891-0524
Cell: (201) 248-3668
EntrustÒ
Securing Digital Identities
& Information
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]