OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Attribute equality during AttributeQuery

Thanks again for the guidance. I've got to wonder though: are there any plans to make some amendments to the spec, there are certainly a few blind spots in the spec that isn't really explained well, or just simply are "interesting" (not sure for example if there are implementations of the HTTP-Artifact binding for sending AuthnRequests in WebSSO profile, or why isn't there a way to tell which AuthnContexts a given IdP supports from the SAML metadata).
Will there be a 2.1/new version of the spec?


2014.08.28. 20:40 keltezéssel, Cantor, Scott írta:
On 8/28/14, 3:28 PM, "Peter Major" <peter.major@forgerock.com> wrote:

Thanks for your help, there is only one thing now that I struggle with a
little bit:
how do you determine which profile is being used?

Speaking as an implementer, you ignore the concept of profiles and
strictly enforce equality on both fields, or possibly treat unspecified as
a wildcard that treats Name as the only comparator.

You abstract the matching such that if an inexact equivalence concept is
introduced by a future profile, it's handled through code that only
activates under the appropriate special circumstances, probably based on
the name.

In essence you hand off isEqual() to a method that defaults to string
comparison, but can be overridden.

(or is this the wrong way around and I should look at the received
NameFormat, determine which profile it belongs to, and then use the
comparison rules corresponding to that NameFormat when the AA wants to
determine whether it can collect the requested Attributes for the

If you want to complicate things to that degree, but it's not warranted.

If my AA supports more than one attribute profile for the sake of
complexity, how should it determine which profile's attribute name
comparison rules it should use?

In other words is there a way to tell from an attribute query which
attribute profile should be used, or is this something the server should
decide on its own?

There is no way to tell. The concept of profiles was a sop to accomodate
the resistance to the correct approach, which was to use URIs and nothing

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]