Skip to Content.
Sympa Menu

shibboleth-dev - Re: attribute queries

Subject: Shibboleth Developers

List archive

Re: attribute queries


Chronological Thread 
  • From: Tom Scavo <>
  • To: Scott Cantor <>
  • Cc: Shibboleth Development <>
  • Subject: Re: attribute queries
  • Date: Fri, 25 Mar 2005 17:21:48 -0500
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=g4/K+Uu0+2ibeSIZCt6Vy8TUfqNA/A+sKS37RW/rRjiMAVFYD4K353uRmBaDcZDmkQNpf5hG+rGObVnJEoetNm0EfVeYYIhyKJ9wolPq8PzHiM/egwjIiPEexClUjyKZG/xyNMAobxOp2P05k3eHNmlxpW9TeHn6ISSn5e+KtXg=

On Fri, 25 Mar 2005 16:47:58 -0500, Scott Cantor
<>
wrote:
> > 1) Checks for <saml:AttributeDesignator> elements in the query. If
> > one or more such elements exist, the corresponding attributes are
> > supplied (subject to policy and availability).
>
> True, noting that there's a bug in the older versions (1.1 for sure) that
> causes this to crash and return an error.
>
> > 2) If no <saml:AttributeDesignator> elements appear in the query, the
> > IdP consults the requester's metadata. If one or more
> > <md:RequestedAttribute> elements exist in metadata, the corresponding
> > attributes are supplied (subject to policy and availability).
>
> Not true. The ARP is used to determine what to return. I haven't even
> wrapped that part of the metadata yet. We were more interested in using that
> stuff for the GUI at this point than operationalizing it. I'm also reluctant
> to overload the SP descriptor for queries, but if I can get that extension
> accepted, we could use that without cheating so much.

So if I understand you correctly, metadata is not used to determine
required attributes but may be used in the future (1.3?) depending on
the outcome of the proposed metadata extension. Correct?

> > 3) If no <md:RequestedAttribute> elements appear in metadata, the IdP
> > supplies all attributes (subject to policy and availability).
>
> 2 and 3 are the same case, currently.

Okay, so that implies that SP queries and client queries (ala
LionShare and GridShib) are all processed in the same way (ignoring
ARP processing for the moment), that is, either the requested
attributes are returned or all attributes are returned. Is that
right?

Tom



Archive powered by MHonArc 2.6.16.

Top of Page