[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Attribute values or the lack therof
Warren [ et al. ]; We have the same situation. We used to leave the no-value attributes out of the response in order to prevent a requester from sniffing out semantics of our service they are not authorized to use. The drawback is that our service behaves the same way when a requester specifies an attribute the service doesn't recognize. That is, it's impossible to tell from our response whether a request contained an unrecognized attribute name or if the attribute value is "saml-null". Like all humans our service users make mistakes, so we opted to define a URN to represent the "saml-null" value ( e.g., urn:learningstation:names:entity-types:null ) and instructed our service users to recognize that value. Doing this actually helped us solve several other issues in our SAML service. The service applies policy to every request based on the requester, the type of request being made ( e.g., attribute, authorization decision, or authentication query ), and the resource URN if applicable. We didn't have a way to specify the security policy for a resource-less attribute query vs. an attribute query with an empty resource, for instance, until we had a way to identify ( internally ) a "saml-null" value. HTH, jim christopher senior developer / r&d learningstation ----- Original Message ----- From: "Warren, David" <dwarren@rsasecurity.com> To: <saml-dev@lists.oasis-open.org> Sent: Tuesday, September 02, 2003 5:00 PM Subject: Attribute values or the lack therof > Hi fellow SAML'ers, > > How should an implementation send an empty value (i.e. like a NO-VALUE value > in a database) for an attribute? The first idea I had was to send an > Attribute element with no AttributeValue but that seems to be explicitly > forbidden by the schema (no minOccurs attribute which means 1 is required, I > think). The second idea I had was to just specify an empty element (like > <AttributeValue/> or <AttributeValue></AttributeValue>) but section 1.2.1 of > the core spec (Assertions and Protocol, etc.) seems to disallow this. > > A similar problem comes up with trying to send an empty string (i.e. ""). > > Have any other implementers solved this? > > David > -- > Obligatory .signatory > David Warren phone: 781-515-7152 > RSA Security Inc., 174 Middlesex Turnpike, Bedford, MA 01730 > dwarren@rsasecurity.com > > > To unsubscribe from this list, send a post to saml-dev-unsubscribe@lists.oasis-open.org. > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]