Re: [security-services] Proposed Enhancement for Dynamic Attribute Queries

["Cantor, Scott" <cantor.2@osu.edu>]

On 3/27/12 7:23 PM, "David Chadwick" <d.w.chadwick@kent.ac.uk> wrote:
>
>So why is the feature in the attribute request message? And has been
>there from v1 of SAML?

Because copying/emulating basic features of LDAP was one of the original
use cases, and because metadata didn't exist in V1 of SAML (nor, I would
note, did AuthnRequests at all).

>If you have a model of an all attribute providing IDP, and an SP that
>offers multiple services with different authz requirements, then you
>need a feature such as this

I think it's pretty clear that most of us think that metadata is
sufficient for *most* such cases, and it handles multiple services just
fine, in multiple ways. Where it's not sufficient is mostly with respect
to how it identifies attributes, which I haven't evaluated in the context
of your proposal yet.

There isn't any experience at this point in identifying how far down the
complexity scale one has to go to get to the right attribute enumeration
mechanism. XACML is, frankly, too complex IMHO. The metadata schema is
clearly not complex enough.

What I do think is that whatever extension were to be adoped for an
AuthnRequest should also be defined as usable in metadata as a replacement
for AttributeConsumingService.

-- Scott