empty scope
Ian Young
ian at iay.org.uk
Wed Aug 12 09:22:42 EDT 2015
> On 12 Aug 2015, at 14:01, Leif Johansson <leifj at sunet.se> wrote:
>
> On 2015-08-12 13:28, Ian Young wrote:
>>
>>> On 12 Aug 2015, at 12:23, Leif Johansson <leifj at sunet.se> wrote:
>>>
>>> I recently ran into metadata that contained an empty Scope element
>>> (<shibmd:Scope/>). This should be legal according to the schema since
>>> the empty string is a valid xs:string but reasonably modern shib SP
>>> b0rks at it.
>>>
>>> It seems reasonable to not allow an empty scope but I can't find
>>> where it is explicitly disallowed in the Scope extensions spec.
>>
>> The rule to apply is the general one saying that SAML elements can't be empty.
>>
>> -- Ian
>
> got a reference?
Core 1.3.1:
> • All SAML string values have the type xs:string, which is built in to the W3C XML Schema Datatypes
>
> • 277 specification [Schema2]. Unless otherwise noted in this specification or particular profiles, all strings in
>
> • 278 SAML messages MUST consist of at least one non-whitespace character (whitespace is defined in the
>
> • 279 XML Recommendation [XML] Section 2.3).
Yes, it says "in SAML messages" but this rule is taken to apply to metadata as well. Given infinite time, I'd probably suggest that as a candidate for the errata process; all the other type definitions refer to "SAML elements" or "SAML documents" and I think this was just an oversight.
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5250 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150812/3deee460/attachment.p7s>
More information about the users
mailing list