Shibboleth Developers

[Tom Scavo <>]

On 11/16/05, Scott Cantor 
<>
 wrote:
> > What should the SP do if it finds something other than an attribute
> > statement in the attribute response?
>
> It's a SHOULD NOT, but the behavior is unspecified. Adding a lot of language
> to deal with all the things you could conceivably get in an XML message
> that's at all extensible makes life really hard for implementers.

Well, the spec can't guarantee attribute statements only, I understand
that, so this begs the question of what to do if some other statement
type appears in the response.  I suppose the easiest thing to do is
ignore any non-attribute statements and log a warning, but I'd feel
better if the spec had something to say about this (however brief).

Similarly, according to the spec, the IdP SHOULD include a Audience
condition in the response, but what if there is no Audience condition?
 Should the SP simply log a warning and be on its way?

> Reading this now, though, the main thing is that all the Subject elements
> should be the same and shouldn't have any SubjectConfirmation (by virtue of
> the query also not having any, which should have been made explicit). That
> isn't stated at all, I missed it.

Oh, so there are a bunch of additional requirements here:

- The query SHOULD NOT have a SubjectConfirmation element.  (Does the
IdP just ignore one if it happens to be included?)
- Each attribute statement SHOULD NOT have a SubjectConfirmation
element.  (Again, simply ignore it if there happens to be one?)
- The Subject of each statement should "strongly match" (using
language from the SAML 1.1 spec) the Subject of the query.

I presume any statement with a Subject that does not strongly match
the Subject of the query should be discarded?

Thanks,
Tom