Re: [saml-dev] use of protocolSupportEnumeration

["Tom Scavo" <trscavo@gmail.com>]

On 6/14/06, Scott Cantor <cantor.2@osu.edu> wrote:
> Tom Scavo wrote:
> >
> > <md:AttributeAuthorityDescriptor
> >  protocolSupportEnumeration="urn:oasis:names:tc:SAML:profiles:query:attributes:X509-basic">
>
> Protocols are not profiles. They're something broader than that.
> Profiles are captured by the endpoint elements themselves, in particular
> roles, in combination with particular bindings.
>
> If something is a SAML 2.0 profile, then the protocol enumeration
> constant is probably just SAML 2.0. If not, it's not.

Well, let me push back just a little bit, because I'm still confused.
Noting the two URIs I quoted earlier,

urn:oasis:names:tc:SAML:profiles:query:attributes:X509-basic
urn:oasis:names:tc:SAML:profiles:query:attributes:X509-encrypted

plus the related URI from [SAMLProf]

urn:oasis:names:tc:SAML:2.0:profiles:query

we have at least three attribute exchange profiles from which to
choose (plus I have a SAML 1.1 attribute exchange profile I'd like to
add to the mix).

1. How does an IdP advertise its support for one or more of these profiles?
2. How does an SP advertise its support for one of more of these profiles?

Seems like the latter is particularly important otherwise an IdP won't
know how to respond to a particular attribute query.

Suppose, for example, an IdP receives an attribute query with an
encrypted NameID?  How does it know which of the above three profiles
is in effect?  There is nothing in the metadata to help it make this
determination, it seems.

Tom