* Emmanuel Dreyfus <
ma...@netbsd.org> [2018-05-24 11:01]:
> I see that metadata parser gets the attribute.required setting, but it
> does not seems to be used: I found no way to have the requested attribute
> from metadata automatically included in SAML assertions.
>
> Reading the source, I see attribute.required sets a isRequired flag,
> but I fail to see where it is used. Is it a missing feature, or just
> a configuration flag I missed?
The problem with isRequired="true" in SAML 2.0 Metadata is that it's
per RequestedAttribute element, and as such it cannot express commonly
needed things like: I require at least one of either foo or bar.
(In larger deployments IDPs and SPs will not all support all
attributes in use consistently, so being able to handle that potential
mismatch is essential -- but this cannot be done with standard SAML
2.0 metadata. In the academic world people have been using SAML
Entity Attributes instead, to signal attribute requirements, same with
the new OASIS SAML SubjectID Attributes Profile.)
I'm not arguing that SSP shouldn't be able to differentiate between
requested and requested+required attributes, but since this is much
less useful in practice that one would like it to be it's an
understandable omission.
-peter