OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] SAML1.x profile of SAML2.0 metadata andAttributeConsumerDescriptor

> I looked over the SAML1.x metadata profile.  I notice that 
> AttributeConsumerDescriptor is left out.  Even though the 
> authentication request doesn't exists, (which can reference 
> an attribute consumer index)  I think it would still be useful.   

There is no such element any more. What you're referring to is the
AttributeConsumerService element, which is inside the SPSSODescriptor. This
came up sometime around public review 1 I think, and the problem was the
ambiguity in not having metadata pertaining to SSO inside the SSO
descriptor. Since that's what was intended, we moved it.

> Here is a use case: 
> The AttributeAuthority advertises one set of attributes it 
> will release to all trusted SP's.  In addition, it can 
> configure attribute sets specific to the needs of a 
> particular SP.  Configuring these specific attribute sets can 
> be aided by the AttributeConsumerDescriptor metadata elements 
> of the SP. 

That is in fact my use case as well, but it is not a fully interoperable one
because the AttributeConsumerService piece is only strictly defined for the
SSO profile. The issue of metadata for queries came up and was tabled,
essentially, so it would be up to deployments to interpret that data as
something applicable to more generalized attribute exchange.

I think that's ok, though, because the issue of configuring and supporting
attribute release policy at an AA is out of scope for SAML anyway.

> This is how I planned to use AttributeConsumer metadata in 
> SAML 2.0.  Or was the AttributeConsumerService only intended 
> to be used to specify which attributes should be included in 
> the response to an authentication request? 

Technically, yes.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]