shibboleth-dev - attribute queries

Subject: Shibboleth Developers

List archive

attribute queries

From: Tom Scavo <>
To: Shibboleth Development <>
Subject: attribute queries
Date: Fri, 25 Mar 2005 15:50:05 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=d6Lj2i66+ICACvTSOAv4yq/zYcFSytxTLgdjtPmKEpRO1dKk9R6XhGKi9Fry2x/upjMsKDfzrSgtcel/fnJhGNBt4lG7pyKW0l3QbgEbqituUGJgZTEswerfM/J3Tyqp6H8RZWmdBBZyW5T+uMbw1s8NmRtfHbxGLLRphKbW2LI=

We're trying to understand precisely how a Shibboleth 1.3 AA processes
attribute queries. As I understand it now, when an AA receives an
attribute query, it does the following:

1) Checks for <saml:AttributeDesignator> elements in the query. If
one or more such elements exist, the corresponding attributes are
supplied (subject to policy and availability).

2) If no <saml:AttributeDesignator> elements appear in the query, the
IdP consults the requester's metadata. If one or more
<md:RequestedAttribute> elements exist in metadata, the corresponding
attributes are supplied (subject to policy and availability).

3) If no <md:RequestedAttribute> elements appear in metadata, the IdP
supplies all attributes (subject to policy and availability).

Is this correct?

Tom

attribute queries, Tom Scavo, 03/25/2005
- RE: attribute queries, Scott Cantor, 03/25/2005
  - Re: attribute queries, Tom Scavo, 03/25/2005
    - RE: attribute queries, Scott Cantor, 03/25/2005
      - Re: attribute queries, Tom Scavo, 03/25/2005
        
        RE: attribute queries, Scott Cantor, 03/25/2005
        
        Re: attribute queries, Tom Scavo, 03/26/2005
        
        RE: attribute queries, Scott Cantor, 03/26/2005
        
        Re: attribute queries, Walter Hoehn, 03/28/2005
        Re: attribute queries, Tom Scavo, 03/28/2005
        RE: attribute queries, Scott Cantor, 03/28/2005

List archive

attribute queries