OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Groups - Action Item Closed: #0332 Revise Query Extension for SAML ...



OASIS Security Services (SAML) TC member,

Hal Lockhart has closed this action item.

Number: #0332
Description: Revise Query Extension for SAML ...
Owner: Sampo Kellomki
Status: Closed


Comments:
Mr Brian Campbell  2008-05-19 19:56 GMT
from http://lists.oasis-open.org/archives/security-services/200805/msg00024.html

"3.4 Proposal: Query Extension for SAML AuthnReq
http://lists.oasis-open.org/archives/security-services/200804/msg00019.h
tml

Sampo: objective is to allow an SP to ask for certain attributes on 
AuthnRequest, or to pass attributes in AuthnRequest.
Original options was

a) to embed AttributeQuery in AuthnRequest
b) to embed AttributeQuery in AuthnRequest/Extension
c) new top level query element
d) boxcarring
e) leverage  (from metadata) as child element of 
AuthnRequest/Extension

Option E is the consensus

Prateek: an existing IDP would not process?
Scott: no, its in an extension that would not understand it
Prateek: shouldnt break though
Sampo: but if we are putting in an extension, then do we need a wrapper 
element
Scott: likes the cleanliness of

AuthnRequest
    Extension
        RequestedAttributes
            RequestedAttribute

Sampo: fine, will rev accordingly

Scott: still need to clarify the mandatory processing rules around this 
extension, and recoincile with the processing rules
for the existing element in metadata. Needs to be written carefully, 
complication is that its an extension, and so an IDP doesnt
have to support it.
Hal: make sense for the IDP to indicate 'in the message' that the IDP 
did understand the message?
Scott: even if written as mandatory, existing IDPs wont see it
Scott: just wanted to hilite the limitations

Sampo: if you claim to support this extension, then it must be possible 
to confugure your IDP deployment to return an error if it
doesnt have the attribute
Sampo: how to indicate in metadata to indicate support for an extension
Scott; we already have a mechanism, it goes in the extension spec

AI: Sampo to revise Query Extension for SAML AuthnReqaccordingly"

View Details:
http://www.oasis-open.org/apps/org/workgroup/security/members/action_item.php?action_item_id=2179



PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

- OASIS Open Administration


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]