Re: [security-services] On allowing multiple value types for an attribute

["Cantor, Scott" <cantor.2@osu.edu>]

On 11/26/14, 4:58 PM, "Mohammad Jafari" <mjafari@edmondsci.com> wrote:

>This is in Section 2.7.3. line 1168: 
>"Assertions containing <AttributeStatement> elements MUST contain a 
><Subject> element."

Thanks. I frankly didn't recall that. If it's not consistently applied to 
the other statement types, I would speculate it's an errata, but I think 
it probably was intentional. Regardless, that doesn't mean an ID is 
required.

>I just noticed that the text (Section 2.4.1. line 651) says <NameID>, 
><BaseID> or <EncryptedID> are optional. 
>However, the following schema fragment (line 668 onward) uses "choice" 
>with no "minOccurs" which according to XML Schema specs is interpreted as 
>the default of 1. So contrary to the text above, the schema fragment says 
>that there should be at least one occurrence of <NameID>, <BaseID> or 
><EncryptedID>. SAML assertion schema says the same as the schema 
>fragment. 
>
>This actually seems to be an inconsistency in the specs that I had not 
>noticed before.

No, you're just misreading it (luckily). The Subject element is a choice 
between a required ID and optional SC OR just a required SC. That was the 
only way to create a co-constraint of sorts to require SC only if an ID is 
absent.

-- Scott