Re: [security-services] Re: Dutch eID Preso follow up. RE: Proposed Minutes for SSTC Call (Nov 25, 2014)

["Cantor, Scott" <cantor.2@osu.edu>]

On 12/10/14, 6:26 PM, "Martijn Kaag" <martijn.kaag@connectis.nl> wrote:


>
>The requirement to request attributes over a front end channel (either to 
>facilitate consent or to allow for user interaction) if one that I 
>encounter more often. A possible direction is to combine an AuthnRequest 
>and AttributeQuery in one by extending
> AuthnRequestType with the zero or more <saml:Attribute>. 

The reason the Extensions element was created in the schema was because 
extending message types has no real benefit when it comes to getting off 
the shelf code to work. If you have implementations that don't have any 
customizability with respect to Extensions, that's basically a functional 
limitation that has to be addressed if the code base has any hope of 
longevity. OTOH, expecting SSO logic to handle arbitrary message types is 
not realistic in practice.

So that's why a dedicated mechanism for extension of *existing* message 
semantics was created.

TL,DR; extending AuthnRequest in the XML sense is a non-starter.

-- Scott