RE: [saml-dev] question on AttributeQuery processing

["Scott Cantor" <cantor.2@osu.edu>]

> LDAP filter and and SQL where clause is what an IdP can use to resolve
> attributes for a subject. They are implementation details, should they
> drive applications interface?

That isn't my point. You said "a filter can certainly do X" and I was
pointing out two extremely common examples of filters that do not do X. In
fact, I would say that I've never once seen anything called a "filter"
behave the way you describe, so the idea simply never occurred to me, nor
did anybody ever suggest it.

> Do you consider this use pattern uncommon

Well, I do, but it doesn't matter whether I do or not for the purposes of
your question. The spec doesn't allow for it at the moment.

> If the use pattern is worth considering, how could I redesing the query
> to encompass the behaviour, that is, IdP is willing to return the
> requested attribute with the requested value but don't want to hide
> another value. If it's not worth considering, I stop bothering.

Well, no, you cannot use a SAML query to do this. An extension element to
specify alternate behavior would be an option, as long as it was optional to
understand and process it. Otherwise you would have to define a different
protocol message.

-- Scott