OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

samldemotech message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: ? re: attributes

Title: RSA SAML Interop Conference Call Minutes - January 26, 2005

Yes, that’s what I’m expecting.  The Response always has to go the AssertionConsermerService endpoint.

 

What I was discussing was whether or not the AuthnRequest would use an AttributeConsumingServiceIndex attribute.  This does not have anything to do with any other endpoint.  It is simply an index associated with a set of SAML attributes that the requester wants the IDP to include in the assertion that comes back.  It still comes back to the AssertionConsumerService endpoint. An IDP uses the index from the AuthnRequest to figure out what set of attributes the requester wants.  If you’re using metadata, the IDP can figure this out by looking at an SP’s metadata that can include one or more <AttributeConsumingService> entries in an SPSSODescriptor to define the sets of attributes it might want an IDP to send with an SSO assertion.  But note that this metadata element doesn’t define any service endpoint.  Because it is part of the SPSSODescriptor, it uses the endpoint for the SPSSO.  Just thought I should clarify all of that in case we weren’t really talking about the same thing.

 

Anyway, I believe that we are NOT using the index in the <AuthnRequest> and thus the IDP just has to “know” it should always include our set of attributes in the assertion in the response.

 

Rob Philpott
Senior Consulting Engineer 
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
mailto:rphilpott@rsasecurity.com

From: Thomas Wisniewski [mailto:Thomas.Wisniewski@entrust.com]
Sent: Friday, January 28, 2005 4:30 PM
To: Philpott, Robert
Subject: RE: ? re: attributes

 

Rob, my understanding....

 

We agreed to send the attributes back as part of the <Response> message (i.e., statically as you defined it below) that contains the Authn Statement. As such, it has to go back to the AssertionConsumerService.

 

The same attributes will be sent back for both use cases.

 

Tom.

-----Original Message-----
From: Philpott, Robert [mailto:rphilpott@rsasecurity.com]
Sent: Friday, January 28, 2005 4:22 PM
To: samldemotech
Subject: ? re: attributes

We’ve decided that it is a requirement to send the AttributeStatement in the web SSO assertions, but we did not discuss whether this is just statically configured or whether we would utilize the AttributeConsumingServiceIndex attribute on the AuthnRequest that gets delivered from an SP. 

 

My assumption is that we statically configure the IDP to push the attributes and that the SP does not send the index.

 

Otherwise, we need to agree on what we’ll use for the index (i.e. configuring SP metadata defining the attributes in the AttributeConsumingService settings.

 

It is also assumed that the attributes are sent for BOTH the standard use case AND the optional use cases.

Rob Philpott
Senior Consulting Engineer 
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
mailto:rphilpott@rsasecurity.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]