OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] question on AttributeQuery processing

On Wed, 2007-04-18 at 17:44 -0400, Scott Cantor wrote:
> > That's ok. But 'give me A and only A' or 'give me A and I don't care what
> else
> > allowed by IdP policies' are both filters.
> 
> Well, no. An LDAP filter or SQL where clause does not behave in the way
> you're asking about. So that wasn't considered.
LDAP filter and and SQL where clause is what an IdP can use to resolve
attributes for a subject. They are implementation details, should they
drive applications interface? 

Do you consider this use pattern uncommon

Client ask IdP to return the requested attributes for a subject (and
provide a value because he wants to be sure the value is in)

<Attribute Name="Department">
  <AttributeValue xsi:type="xs:string">aDepartment</AttributeValue>
</Attribute>

IdP return the requested attributes (with the requested value and
another value)

<Attribute Name="Department">
  <AttributeValue xsi:type="xs:string">aDepartment</AttributeValue>
  <AttributeValue
xsi:type="xs:string">anotherDepartment</AttributeValue>
</Attribute>

If the use pattern is worth considering, how could I redesing the query
to encompass the behaviour, that is, IdP is willing to return the
requested attribute with the requested value but don't want to hide
another value. If it's not worth considering, I stop bothering.

> > My question was what about why
> > the first one was choosen. An AttributeQuery containing an Attribute X
> > containing an AttributeValue Y doesn't asks 'does the subject posses
> > attributes X with value Y', with the imposition in section 2.3.2.3 it
> > asks 'does the subject posses attributes X with the Y value and only the
> > Y value'.
> 
> I think you're mistaking the concept of asking for an assertion with asking
> whether a subject possesses a given attribute. They aren't the same at all.
> A query in SAML is asking the authority to assert something, not asking
> whether something is true independently of that.
Right, I expressed uncorrectly, according to the spec, line 1851 the
meaning of AttributeQuery is 'return the requested attributes for this
subject'. But it doesn't change much. The filter imposes an IdP 'return
the requested attribute for this subject with this value and only this
value'.

Valerio

smime.p7s

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]