empty scope

Ian Young ian at iay.org.uk
Wed Aug 12 09:22:42 EDT 2015

> On 12 Aug 2015, at 14:01, Leif Johansson <leifj at sunet.se> wrote:
> On 2015-08-12 13:28, Ian Young wrote:
>>> On 12 Aug 2015, at 12:23, Leif Johansson <leifj at sunet.se> wrote:
>>> I recently ran into metadata that contained an empty Scope element
>>> (<shibmd:Scope/>). This should be legal according to the schema since
>>> the empty string is a valid xs:string but reasonably modern shib SP
>>> b0rks at it.
>>> It seems reasonable to not allow an empty scope but I can't find
>>> where it is explicitly disallowed in the Scope extensions spec.
>> The rule to apply is the general one saying that SAML elements can't be empty.
>>    -- Ian
> got a reference?

Core 1.3.1:

> 	• All SAML string values have the type xs:string, which is built in to the W3C XML Schema Datatypes
> 	• 277  specification [Schema2]. Unless otherwise noted in this specification or particular profiles, all strings in
> 	• 278  SAML messages MUST consist of at least one non-whitespace character (whitespace is defined in the
> 	• 279  XML Recommendation [XML] Section 2.3).

Yes, it says "in SAML messages" but this rule is taken to apply to metadata as well. Given infinite time, I'd probably suggest that as a candidate for the errata process; all the other type definitions refer to "SAML elements" or "SAML documents" and I think this was just an oversight. 

    -- Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5250 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150812/3deee460/attachment.p7s>

More information about the users mailing list