Skip to Content.
Sympa Menu

mace-opensaml-users - Re: AttributeQuery use cases

Subject: OpenSAML user discussion

List archive

Re: AttributeQuery use cases


Chronological Thread 
  • From:
  • To: Mike Ferraro <>
  • Cc: "" <>
  • Subject: Re: AttributeQuery use cases
  • Date: Thu, 26 Aug 2004 18:26:48 -0400

Hi Mike,

Section 3.4.4 states:
.."If the SAML authority cannot provide an assertion with any statements
satisfying the constraints expressed by a query, the <Response> element MUST
NOT contain an <Assertion> element and MUST include a <StatusCode> element
with
value Success. It MAY return a <StatusMessage> element with additional
information."

imo, your [B], [C] imply that the attributes exist, but the values are [null |
empty] which is the concrete result of the query. Section 3.4.4 seems to be
applicable for both [A] and [D].

Opinions?

-Matt Long






Quoting Mike Ferraro
<>:

> Hi,
>
> I couldn't find documentation about this on the Shibboleth site, so
> hopefully someone that has implemented this can shed some light for me. I
> apologize if this is the wrong list to send this to.
>
> I'm curious about how responses are constructed in these AttributeQuery
> request use cases:
>
> A. An attribute query is made and some attributes are requested that do not
> exist within the attribute authority.
> B. An attribute query is made and attributes are requested that exist within
> the attribute authority, but some of those attribute values are null.
> C. An attribute query is made and attributes are requested that exist within
> the attribute authority, but some of those attribute values are empty
> strings.
> D. An attribute query is made with any number of attributes for a Subject
> who does not exist in the attribute authority.
>
> Given the following schema constraints:
>
> 1. AttributeStatements MUST contain at least one Attribute element.
> 2. Attribute elements MUST contain at least one AttributeValue element.
> 3. AttributeValue elements CANNOT contain null or empty strings.
>
> These are my original thoughts for solutions:
>
> A. An AttributeStatement is returned containing only those requested
> Attributes that exist within the attribute authority. If none of the
> requested Attributes exist, then no AttributeStatement is returned. The
> Status returned is Success with some appropriate message.
> B. An AttributeStatement is returned containing all recognized Attributes.
> Any attributes that are null contain a "NULL" string value. The Status
> returned is Success.
> C. An AttributeStatement is returned containing all recognized Attributes.
> Any attributes that are empty strings contain a "NOVALUE" string value. The
> Status returned is Success.
> D. No AttributeStatement is returned. The Status returned is SUCCESS with
> some appropriate message.
>
> One question is if there is a true difference between cases A and B.
> Another is if sending back actual string values for null and empty strings
> could be problematic if "NULL" and "NOVALUE" are actually possible values.
>
> Any input would be much appreciated. Thanks!
> -----
> Mike Ferraro
> Senior Software Engineer
> CAIT : Information Technology Infrastructure Services
> Harvard University
>
>







Archive powered by MHonArc 2.6.16.

Top of Page