FYI
Forwarded message:
From: Nick Roy <nr...@internet2.edu>
To: Eric Goodman <Eric.G...@ucop.edu>
Cc: Pål Axelsson <p...@sunet.se>, Mikael Linden <mikael...@csc.fi>, Alan Buxey <alan....@myunidays.com>, Eskil Swahn <eskil...@ldc.lu.se>, assu...@lists.refeds.org
Subject: Re: [REFEDS assurance] saml2int and REFEDS Assurance Framework
Date: Tue, 15 Oct 2019 18:53:24 +0000
Does anyone think we need a wording change to SDP-G02 to make it clear that the limit is for each instance of an element or attribute, not combined?
Thanks,
Nick
On 15 Oct 2019, at 11:10, Eric Goodman wrote:
FWIW, this requirement was a corollary to the requirement in the implementation profile [1] that:
[IIP-G02] When specific constraints are absent in the SAML standards or profile documents, implementations MUST be able to accept, without error or truncation, element and attribute values of type xs:string that are comprised of any combination of valid XML characters and contain up to 256 characters. This requirement applies both to types defined within the SAML standards (such as transient and persistent NameIDs) and to user-defined types.
So I believe it’s as much reinforcing the need for implementation to consume larger attribute values larger as it is establishing the upper limit. (E.g., some implementations have had issues consuming ePPNs because of arbitrary 16 or 32 character limits).
--- Eric
[1] https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
From: assuranc...@lists.refeds.org <assuranc...@lists.refeds.org> On Behalf Of Pål Axelsson
Sent: Tuesday, October 15, 2019 4:22 AM
To: Mikael Linden <mikael...@csc.fi>; Alan Buxey <alan....@myunidays.com>; Eskil Swahn <eskil...@ldc.lu.se>
Cc: assu...@lists.refeds.org
Subject: Sv: [REFEDS assurance] saml2int and REFEDS Assurance Framework
Thanks Alan for the explanation. I understood it as the whole combined multi value attribute.
Pål
Från: assuranc...@lists.refeds.org <assuranc...@lists.refeds.org> För Mikael Linden
Skickat: den 15 oktober 2019 11:31
Till: 'Alan Buxey' <alan....@myunidays.com>; 'Eskil Swahn' <eskil...@ldc.lu.se>
Kopia: assu...@lists.refeds.org
Ämne: RE: [REFEDS assurance] saml2int and REFEDS Assurance Framework
I agree with Alan. None of the AttributeValue elements below (as presented by https://attribute-viewer.aai.switch.ch/) is near 256 characters.
mikael
---
<saml2:AttributeStatement>
<saml2:Attribute
FriendlyName="eduPersonAssurance"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>
https://refeds.org/assurance/ID/no-eppn-reassign
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/profile/espresso
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/IAP/med
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/IAP/local-enterprise
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/ATP/ePA-1m
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/ATP/ePA-1d
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/ID/unique
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/IAP/high
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/profile/cappuccino
</saml2:AttributeValue>
<saml2:AttributeValue>
https://refeds.org/assurance/IAP/low
</saml2:AttributeValue>
</saml2:Attribute>
From: assuranc...@lists.refeds.org [mailto:assuranc...@lists.refeds.org] On Behalf Of Alan Buxey
Sent: tiistai 15. lokakuuta 2019 11.26
To: Eskil Swahn <eskil...@ldc.lu.se>
Cc: assu...@lists.refeds.org
Subject: Re: [REFEDS assurance] saml2int and REFEDS Assurance Framework
hi,
Tuesday morning naivety and lack of coffee here perhaps.... buts arent
all of those values encapsulated within their own
"<saml:AttributeValue> </saml:AttributeValue>" wrapper?
alan
https://github.com/KantaraInitiative/SAMLprofiles/pull/140
On 15 Oct 2019, at 13:18, Eskil Swahn wrote:
Well, a first shot would be to just add a few words to the sentence so it reads "Unless otherwise specified, deployments MUST limit the size of all element and attribute content they produce to a maximal size of 256 characters per instance of element or attribute.” perhaps.
With Kindest Regards
Eskil Swahn
IT Architect | LDC, Lund UniversityMargaretavägen 1A | SE-222 40 LundPhone: +46 46 222 13 23ServiceDesk: +46 46 222 90 00
On 15 Oct 2019, at 21:14, Nick Roy <nr...@internet2.edu> wrote:
Agreed!
Contributions of suggested wording are always appreciated either as pull requests at https://github.com/KantaraInitiative/SAMLprofiles, issues opened there, or via email to wg...@kantarainitiative.org.
Best,
Nick
On 15 Oct 2019, at 13:12, Eskil Swahn wrote:
Hi,
This discussion is fairly clear evidence that the present wording is not clear. Far from being an expert on XML-parsing, I must say that even though I don’t in any way doubt Alan’s explanation, it is not clearly backed up by the original wording quoted by Pål. Doesn’t seem that hard to change the wording to make it clear that the max size of 256 characters is per value in a multi-value attribute either.
With Kindest Regards
Eskil Swahn
IT Architect | LDC, Lund UniversityMargaretavägen 1A | SE-222 40 LundPhone: +46 46 222 13 23ServiceDesk: +46 46 222 90 00
I would be inclined to just s/all/each/
Unless otherwise specified, deployments MUST limit the size of each element and attribute content they produce to 256 characters.
Though “each attribute content” is an odd phrase; not sure if “content” is the right XML noun to use there with that construction.
--- Eric
From: Eskil Swahn <eskil...@ldc.lu.se>
Sent: Tuesday, October 15, 2019 12:57 PM
To: Nick Roy <nr...@internet2.edu>
Cc: Eric Goodman <Eric.G...@ucop.edu>; Pål Axelsson <p...@sunet.se>; Mikael Linden <mikael...@csc.fi>; Alan Buxey <alan....@myunidays.com>; assu...@lists.refeds.org; WG-FI <wg...@kantarainitiative.org>
Subject: Re: [REFEDS assurance] saml2int and REFEDS Assurance Framework
I did add “.. produce to a maximal size of 256 characters ..”.
Not sure whether you noticed it and didn’t agree or didn’t notice.. =)
Size of each element and content of each attribute?
Wordsmithing to death,
Keith
I’ve killed the PR pending some additional wording changes to be proposed by Scott Cantor. Current state is: https://github.com/KantaraInitiative/SAMLprofiles/commit/c42892c2179601f1180ff70a9f42e8d680b729f2
I see there is also a discussion on the REFEDS slack tenant. It would be helpful if all conversations related to this document stream could be directed to wg...@kantarainitiative.org.
Best,
Nick
_______________________________________________