OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Attribute values or the lack therof

Warren [ et al. ];

We have the same situation.  We used to leave the no-value attributes out of
the response in order to prevent a requester from sniffing out semantics of
our service they are not authorized to use.  The drawback is that our
service behaves the same way when a requester specifies an attribute the
service doesn't recognize.  That is, it's impossible to tell from our
response whether a request contained an unrecognized attribute name or if
the attribute value is "saml-null".  Like all humans our service users make
mistakes, so we opted to define a URN to represent the "saml-null" value (
e.g., urn:learningstation:names:entity-types:null ) and instructed our
service users to recognize that value.

Doing this actually helped us solve several other issues in our SAML
service.  The service applies policy to every request based on the
requester, the type of request being made ( e.g., attribute, authorization
decision, or authentication query ), and the resource URN if applicable.  We
didn't have a way to specify the security policy for a resource-less
attribute query vs. an attribute query with an empty resource, for instance,
until we had a way to identify ( internally ) a "saml-null" value.

jim christopher
senior developer / r&d

----- Original Message ----- 
From: "Warren, David" <dwarren@rsasecurity.com>
To: <saml-dev@lists.oasis-open.org>
Sent: Tuesday, September 02, 2003 5:00 PM
Subject: Attribute values or the lack therof

> Hi fellow SAML'ers,
> How should an implementation send an empty value (i.e. like a NO-VALUE
> in a database) for an attribute?  The first idea I had was to send an
> Attribute element with no AttributeValue but that seems to be explicitly
> forbidden by the schema (no minOccurs attribute which means 1 is required,
> think).  The second idea I had was to just specify an empty element (like
> <AttributeValue/> or <AttributeValue></AttributeValue>) but section 1.2.1
> the core spec (Assertions and Protocol, etc.) seems to disallow this.
> A similar problem comes up with trying to send an empty string (i.e. "").
> Have any other implementers solved this?
> David
> --
> Obligatory .signatory
> David Warren       phone: 781-515-7152
> RSA Security Inc., 174 Middlesex Turnpike, Bedford, MA 01730
> dwarren@rsasecurity.com
> To unsubscribe from this list, send a post to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]