[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposal: Query Extension for SAML AuthnReq
A thought. The possibility of embedding <RequestedAttribute> in an <AuthnRequest> might be seen as an 'enabler' of the current (to my mind) kludge of using attributes in an IDP-issued assertion to carry assurance. The existing inability of an SP to ask for particular 'assurance attributes' in its <AuthnRequest> would presumably be one driver for them to instead use <RequestedAuthnContext>? Should we give guidance against such an application of the new extension? Paul Tom Scavo wrote: > On Fri, Apr 25, 2008 at 10:52 PM, Scott Cantor <cantor.2@osu.edu> wrote: > >> > Any opinions on the interrim solution? >> >> Probably we would need some normative language about whether to treat the >> extension as mandatory (meaning if you understand it, do you return an error >> if you can't satisfy the attribute request?). Currently the metadata >> equivalent is expressly optional to enforce. >> > > So there will be two methods of requesting attributes in conjunction > with <samlp:AuthnRequest>: > > 1. By reference via AttributeConsumingServiceIndex > 2. By value via <md:RequestedAttribute> > > Scott is working on (1) in conjunction with errata, and Sampo has > proposed (2). In the end, the two approaches should be semantically > equivalent, that is, the normative language describing each approach > should be the same. > > Tom > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > -- Paul Madsen e:paulmadsen @ ntt-at.com NTT p:613-482-0432 m:613-282-8647 aim:PaulMdsn5 web:connectid.blogspot.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]