OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] saml:Attribute question

> In SAMLCore section Element <AttributeQuery> (lines 
> 1863-1864), we specify that
> 	A single query MUST NOT contain two <saml:Attribute> 
> elements with the same Name and 	
> 	NameFormat values (that is, a given attribute MUST be 
> named only once in a query).

That came up when value filtering was added, just to simplify processing.

> However, in section 2.7.3 Element <AttributeStatement> we do 
> not discuss the rules or interpretation regarding inclusion 
> of more than one <Attribute> element with identical Name and 
> Format attributes in a single <AttributeStatement> (or in two 
> or more <AttributeStatement> elements within the same 
> <Assertion> or within different <Assertion> elements in the 
> same <Response>).

I doubt we could or would ever say anything about the multiple statement or
multiple assertion case. As far as a single statement, I think we didn't
want to make it a problem if an AA had to spit out values from different
sources and wanted to just create separate attributes for them. The end
result is to make it the RP's problem to look at every element if it's
looking for an attribute.

A bit inconsistent, but it would have been a new constraint that SAML 1.1
didn't have, whereas queries were being redone quite a bit anyway.

> Any thoughts on what this does/should mean in a response to 
> an AttributeQuery?

If you mean the semantics, it's unioned in all cases.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]