SOAP SLO handler: what would it be used for?
Tom Scavo
trscavo at gmail.com
Wed Apr 16 15:45:14 EDT 2014
On Wed, Apr 16, 2014 at 3:05 PM, Eric Goodman <Eric.Goodman at ucop.edu> wrote:
>
> With SAML1 artifact resolution, the attributes "query" is always preceded by an authentication event.
Artifact resolution and attribute query are two different things so
you need to rephrase that sentence :-) but I think I understand what
you're trying to say. You're claiming that a query is about a subject
who just authenticated at the IdP, or put another way, the SP uses the
<saml:Subject> asserted by the IdP in the SSO assertion. That's how
the IdP is able to resolve attributes about the subject.
Yes, you're right, although I wouldn't go quite so far as to say this
is a SAML1 vs. SAML2 thing. I think the protocol is mostly irrelevant.
> With SAML2 attribute queries, I thought the IdP could be used as an non-authenticating attribute authority (i.e., in a circumstance where there was no preceding authentication event). Is that not true?
Yes, the Shibboleth SP will issue a SimpleAggregation query:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeResolver#NativeSPAttributeResolver-SimpleAggregationAttributeResolver(Version2.2andAbove)
but I doubt that's used very much, so I still think a typical IdP
should avoid attribute query out of the chute and perhaps forever.
> I understand avoiding redundant queries is a good thing, but in the latter use case, it's not redundant.
That's true, but it's far from common. Moreover, the policy
implications are staggering so I don't expect this technique to become
popular any time soon. SimpleAggregation has its uses, though.
> I think Keith's point about ECP is valid, but I thought ECP still presumed a preceding authentication event.
ECP *is* about authentication.
> I'm calling it out since it's another place where disabling attribute queries would affect functionality (though perhaps an advanced and uncommon one).
Agreed.
> And I guess there's a difference between disabling attribute queries and listing the endpoint in the InCommon metadata...
Any metadata, you mean. You can remove the SAML2 AttributeService
endpoint from your IdP metadata and SPs will stop making redundant
queries even if leave your configuration as-is. That's because
metadata drives the behavior of entities of course.
Tom
More information about the users
mailing list