Shibboleth Developers

[Olivier Salaün <>]

We've noticed the following behaviour with Shibboleth IdP 1.3 and 2.1 :

Considering a Shibboleth IdP configured to use SAML1.1 browser/POST 
profile with attribute push. If the ARP result is to provide no 
attribute to the SP, then the SAML assertion only includes an 
AuthenticationStatement but no AttributeStatement. When the SP receives 
the SAML assertion from the IdP, because no AttributeStatement is 
provided it will try to get user attributes via a SOAP request at the 
AttributeQuery endpoint and it will fail again because the IdP really 
doesn't want to provide any user attribute to this SP.

Given this behavior of the IdP (ie including no AttributeStatement in 
the SAML assertion), the SP cannot distinguish situations where IdP 
refuses to send any attributes from situations where the AttributeQyuery 
endpoint should be contacted.

We've had problems with this behaviour because our federation metadata 
make the AttributeService optional for an IDPSSODescriptor (ie we favour 
attribute push) and shibd process would die while trying to contact an 
undefined AttributeQuery endpoint. See 
<https://bugs.internet2.edu/jira/browse/SSPCPP-189>.

I'm wondering if this is a standard SAML behaviour.
Under the situation described above, shouldn't the IdP send a SAML 
assertion with an empty AttributeStatement instead of no 
AttributeStatement at all?