[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RequestedAttribute/isRequired in AttributeQuery/NameIDMappingRequest?
Dear Members, the SAML-based Hungarian eIDAS-Node both supports direct and indirect retrieval of attributes. The direct is performed via backend AttributeQuery/Response or NameIDMappingRequest/NameIDMappingResponse communications with no user interactions. The indirect is performed via frontend AuthnRequest/Response communications with user interactions (if user authentication and/or consent giving is required). For the indirect case we apply isRequired attribute inside RequestedAttribute element described by eIDAS Technical Specifications and W3C specifications (http://docs.oasis-open.org/security/saml-protoc-req-attr-req/v1.0/saml-protoc-req-attr-req-v1.0.html). But - as I understand -, because this specification allows usage exclusively just for AuthnRequest message, we can not apply the same logic to AttributeQuery or NameIDMappingRequest messages. "A <req-attr:RequestedAttributes> element is included in a <samlp:AuthnRequest> message by placing it in the optional <samlp:Extensions> element." Just to make it clear to me: am I right? Is it really allowed just at AuthnRequest message or all messages may be covered that are based on RequestAbstractType (even AttributeQuery and NameIDMappingRequest)? AttributeQuery AttributeQueryType SubjectQueryAbstractType RequestAbstractType NameIDMappingRequest NameIDMappingRequestType RequestAbstractType AuthnRequest AuthnRequestType RequestAbstractType BR, Aron E-Group