Null/Empty value encoding support for requested attribute (ref. saml-core-2.0 spec par. 2.7.3.1.1)

[Cantor, Scott]

On 9/19/19, 5:42 AM, "users on behalf of Diego Pietralunga" <users-bounces at shibboleth.net on behalf of diego.pietralunga at lepida.it> wrote:

> 1) Am I correct that Shibboleth IDP does not support this? If so, why?

I don't think it does and "why" is that it's a bad idea to start making weird distinctions like this, not handled by most SPs if we did, and nobody has asked.

> 2) Am I correct that this should be handled by an Encoder *only*, or
> there may be other things to take care of?

Attributes with zero values are gone by then. Attributes with null or empty values I think will still be present and available to an encoder if one chose to do something with them.

> 3) In case there is no direct IDP support (or viable workarounds) and we
> fulfill the requirement, should this be done by implementing some
> kind of... "Saml2NilFriendlyStringEncoder" and try to configure it to
> handle xsi:type="SAML2String" ?

If something isn't supported, then there has not been sufficient thought to answer a design question with a yes or no.

If you're a GARR member, they can file a request for support on your behalf or give you the ability to get support under that mechanism. I can't spend time for free to start diving into something like that.

> Can you give some suggestions, please?

Every day I listen to claims that SP A or B "can't" do something, most of which are flat out lies to mask an unwillingness to perform even basic job functions. This isn't a sensible design decision on the part of whoever's asking, so I'd move on and just tell them it isn't within the software's capabilities at present.

-- Scott