OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] RequestedAttribute/isRequired in AttributeQuery/NameIDMappingRequest?

On 1/19/21, 3:53 AM, "Szabà Ãron" <baronsz@freemail.hu> wrote:

>    Just to make it clear to me: am I right? Is it really allowed just at AuthnRequest message or all messages may be covered
> that are based on RequestAbstractType (even AttributeQuery and NameIDMappingRequest)?

AttributeQuery relies on the Attribute element, it has no notion of "required", in the same way that LDAP query filters limit what you get back but do not prevent a response that doesn't include everything you asked for.

At the end of the day, this is pointless. You know what you need and forcing the IdP to issue an error instead of just doing it yourself is of little importance. The only reason it's used in the front-channel case is consent (and it doesn't work well there either, but that's the theory).

NameIDMapping has never been used, is supported by nobody I know of, and has no notion of Attributes at all. You shouldn't be using it (or NameIDs at all for that matter, they're effectively supplanted once and for all by the subject-id specification.).

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]