Skip to Content.
Sympa Menu

shibboleth-dev - RE: Shibboleth Service Provider Security Advisory [14 December 2004]

Subject: Shibboleth Developers

List archive

RE: Shibboleth Service Provider Security Advisory [14 December 2004]


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Oleksandr Otenko'" <>
  • Cc: "'Tom Scavo'" <>, <>
  • Subject: RE: Shibboleth Service Provider Security Advisory [14 December 2004]
  • Date: Wed, 15 Dec 2004 12:03:17 -0500
  • Organization: The Ohio State University

> My confusion or feeling of inconsistency comes from the fact that the
> Origin (according to the documentation) checks if the value retrieved
> from DataConnector has "@whatever"; then, if that is present, it is used
> as the scope domain.

Different issue. That's nothing more than arbitrary code used during
attribute construction based on what people might or might need when they
pull information from databases. How that works is an entirely arbitrary and
unrelated issue to this.

And note that it only does that if you tell it to. If the attribute is
unscoped, it does nothing of the sort.

> This logic defines the meaning that any Attributes used in Shibboleth
> have this special syntax, where "@whatever", if present, means a scope
> domain, which may be different to the default domain defined in the ARP
> (smartScope).

Definitely not. The VALUE (in the holy writ sense) to Shibboleth is the XML
syntax. Nothing else can be considered formally part of the equation, I
think, and there are no hidden meanings attached to anything.

> (and that is why I assumed that the Target uses the same approach).
> (and that is why our software also makes the same assumption - if
> "@whatever" is present, its a scope domain)

You can never make such a decision without knowledge of the attributes.
Nothing we ever imposed could ever apply without regard for the specific
definition of the attribute.

You might consider (from what I know of your project) consuming the SAML
directly and not relying on the strings. Those are, essentially, a lossy
format. In this particular case, without knowing the attribute definition,
you can't know whether something is scoped only by looking at the string.
Simply can't be done (e.g. email address), and it's not a limitation I
created.

You can, however, tell by looking at the XML. It all depends on what you're
trying to do, but I think this is all separate from how I did or didn't
choose to map a directory string of
value@domain
to XML and back. The fact
that it's a two-part value is part of the attribute's definition, not based
on the arbitrary presence of an @ sign.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page