Shibboleth Developers

["Scott Cantor" <>]

Olivier Salaün wrote on 2009-03-12:
> Considering a Shibboleth IdP configured to use SAML1.1 browser/POST
> profile with attribute push. If the ARP result is to provide no
> attribute to the SP, then the SAML assertion only includes an
> AuthenticationStatement but no AttributeStatement. When the SP receives
> the SAML assertion from the IdP, because no AttributeStatement is
> provided it will try to get user attributes via a SOAP request at the
> AttributeQuery endpoint and it will fail again because the IdP really
> doesn't want to provide any user attribute to this SP.

If you're pushing, there's no reason to supply an
AttributeAuthorityDescriptor, unless you have a different use case you have
to support. In that case, it's unfortunately not something I can fix...how
would the SP know what to do? You're best bet there is to supply a
meaningless attribute.

> We've had problems with this behaviour because our federation metadata
> make the AttributeService optional for an IDPSSODescriptor (ie we favour
> attribute push) and shibd process would die while trying to contact an
> undefined AttributeQuery endpoint. See
> <https://bugs.internet2.edu/jira/browse/SSPCPP-189>.

Well, again, why are you supplying the role to begin with? Are you using
GridShib as well, or some other application that requires queries?

> Under the situation described above, shouldn't the IdP send a SAML
> assertion with an empty AttributeStatement instead of no
> AttributeStatement at all?

As Chad said, no, that's not allowed.

-- Scott