On Mon, Oct 25, 2010 at 10:51:42AM -0400, Scott Cantor wrote:
> > You can't say "some attributes may be missing." How inclusive do you
> > want to be. Does filtered by policy count as missing? Does network
> > unavailable count?
> >
> > I think you have to make a fairly specific statement.
>
> I would agree that it's quite difficult to decide whether to consider
> something a failure or not. In the case of the resolvers I support, which
> are SAML-query-based, I came down on the side of considering it a failure if
> I couldn't obtain a successful SAML response (which may still be empty), or
> if the response I did get violated local security policy altogether in some
> way.
I think "couldn't obtain a successful SAML response" is a reasonable
indication of transient failure.
As for "the response ... violated local security policy ...", I wonder
what sorts of local security policy that might be. It seems to me that
some such violations would not be indicative of transient failure, but
of misconfiguration (local or remote), but it'd still indicate that
attributes may be missing (we don't know if the SAML response would be
empty had it passed local policy).
> I then added an option to populate a local attribute of choice with the
> error message(s) encountered.
>
> Possibly useful, but I don't think it's a generic solution or that it really
> makes denial rules a good idea.
I agree with the last half. In practice nothing we do is going to make
it possible to build applications that rely on DENY ACL entries.
However, this does not mean that federations couldn't agree to provide
some set of attributes that would then be useful in that way.
The distinction I'm drawing is between application development, where
the developer can't demand that federations agree to certain
conventions, versus actual federation deployment, where participants
likely can setup such conventions. It should be possible to develop
applications which don't require DENY ACL entries but which can use them
nonetheless in federations that agree to make that feasible.
Nico
--
|