OpenSAML user discussion

[Mike Ferraro <>]

Quoting Scott Cantor 
<>:
> My personal opinion is that we didn't mean that restriction to apply to this
> element, only the more SAML-specific ones. I can ask though.

Ok.  Understood.  I haven't had a chance to work through Shibboleth, but it
sounds like you don't use the AttributeQuery mechanism in the manner that 
we're
attempting.  That would explain the reason that this issue hasn't come up 
yet. 
Perhaps we're attempting to do something that the language wasn't meant to 
do? 
I don't think so, but maybe I'm wrong?

> What does "valid" mean? The issue of what attributes are "supported" by an
> AA is an out of band issue for a deployment to address. Metadata also can
> address this kind of thing, although not in 1.x.

Sorry, "valid" meaning "supported".  If an attribute is
"invalid"/"unsupported",
the authority ignores it an does not send it back in the response.  If the
attribute is supported, what I assumed would happen is that the authority
returns the attribute with whatever value(s) it has in it's attribute store. 
The client would then interpret a non-response as an unsupported attribute, a
null value as a null value, and an empty string as an empty string.

For my purposes, I can get away with not sending an attribute for unsupported
attributes and for null values, since the resulting value is essentially null
in both cases.  The issue really arose when OpenSAML didn't let me send back
empty strings, because I want to differentiate between null and empty.

> I think you've invented a concept that doesn't really show up in the spec.
> Validity in the abstract isn't something the protocol is intended to
> communicate.

Maybe?  That wasn't really my intention.

> Hmm...what you proposed isn't sufficient for that unless you're proposing to
> simply echo back any attribute that is understood by the AA, and send an
> empty value for any attribute that didn't apply to the subject (which seems
> wrong, since that's not the same as saying "no values". But that isn't
> something I think others are doing. Certainly we don't in Shibboleth.

I didn't think that I was proposing that?  So what DO you do in Shibboleth 
when
you implement AttributeQuery requests and responses?  How do you handle cases
where a consumer is requesting unsupported attributes, null value attributes,
and empty string attributes from an attribute authority?

> Whether I agree with using it or not, I would consider it a bug if I was
> blocking something simple that is legal, so I'll ask next week and put in a
> fix if it's warranted.

That would be fantastic.  Please let me know if a change goes through.

Thanks for all the help and info and have a good weekend.

-Mike