shibboleth-dev - No AttributeStatement versus an empty AttributeStatement
Subject: Shibboleth Developers
List archive
- From: Olivier Salaün <>
- To:
- Subject: No AttributeStatement versus an empty AttributeStatement
- Date: Thu, 12 Mar 2009 12:28:15 +0100
We've noticed the following behaviour with Shibboleth IdP 1.3 and 2.1 :
Considering a Shibboleth IdP configured to use SAML1.1 browser/POST profile with attribute push. If the ARP result is to provide no attribute to the SP, then the SAML assertion only includes an AuthenticationStatement but no AttributeStatement. When the SP receives the SAML assertion from the IdP, because no AttributeStatement is provided it will try to get user attributes via a SOAP request at the AttributeQuery endpoint and it will fail again because the IdP really doesn't want to provide any user attribute to this SP.
Given this behavior of the IdP (ie including no AttributeStatement in the SAML assertion), the SP cannot distinguish situations where IdP refuses to send any attributes from situations where the AttributeQyuery endpoint should be contacted.
We've had problems with this behaviour because our federation metadata make the AttributeService optional for an IDPSSODescriptor (ie we favour attribute push) and shibd process would die while trying to contact an undefined AttributeQuery endpoint. See <https://bugs.internet2.edu/jira/browse/SSPCPP-189>.
I'm wondering if this is a standard SAML behaviour.
Under the situation described above, shouldn't the IdP send a SAML assertion with an empty AttributeStatement instead of no AttributeStatement at all?
- No AttributeStatement versus an empty AttributeStatement, Olivier Salaün, 03/12/2009
- Re: [Shib-Dev] No AttributeStatement versus an empty AttributeStatement, Chad La Joie, 03/12/2009
- RE: [Shib-Dev] No AttributeStatement versus an empty AttributeStatement, Scott Cantor, 03/12/2009
Archive powered by MHonArc 2.6.16.