[WG-FI] Fwd: [REFEDS assurance] saml2int and REFEDS Assurance Framework

4 views
Skip to first unread message

Nick Roy

unread,
Oct 15, 2019, 3:07:46 PM10/15/19
to WG-FI

FYI

Forwarded message:

From: Nick Roy <nr...@internet2.edu>
To: Eric Goodman <Eric.G...@ucop.edu>
Cc: Pål Axelsson <p...@sunet.se>, Mikael Linden <mikael...@csc.fi>, Alan Buxey <alan....@myunidays.com>, Eskil Swahn <eskil...@ldc.lu.se>, assu...@lists.refeds.org
Subject: Re: [REFEDS assurance] saml2int and REFEDS Assurance Framework
Date: Tue, 15 Oct 2019 18:53:24 +0000

Does anyone think we need a wording change to SDP-G02 to make it clear that the limit is for each instance of an element or attribute, not combined?

Thanks,

Nick

On 15 Oct 2019, at 11:10, Eric Goodman wrote:

FWIW, this requirement was a corollary to the requirement in the implementation profile [1] that:

 

[IIP-G02] When specific constraints are absent in the SAML standards or profile documents, implementations MUST be able to accept, without error or truncation, element and attribute values of type xs:string that are comprised of any combination of valid XML characters and contain up to 256 characters. This requirement applies both to types defined within the SAML standards (such as transient and persistent NameIDs) and to user-defined types.

 

So I believe it’s as much reinforcing the need for implementation to consume larger attribute values larger as it is establishing the upper limit. (E.g., some implementations have had issues consuming ePPNs because of arbitrary 16 or 32 character limits).

 

--- Eric

 

[1] https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html

 

From: assuranc...@lists.refeds.org <assuranc...@lists.refeds.org> On Behalf Of Pål Axelsson
Sent: Tuesday, October 15, 2019 4:22 AM
To: Mikael Linden <mikael...@csc.fi>; Alan Buxey <alan....@myunidays.com>; Eskil Swahn <eskil...@ldc.lu.se>
Cc: assu...@lists.refeds.org
Subject: Sv: [REFEDS assurance] saml2int and REFEDS Assurance Framework

 

Thanks Alan for the explanation. I understood it as the whole combined multi value attribute.

 

Pål

 

 

Från: assuranc...@lists.refeds.org <assuranc...@lists.refeds.org> För Mikael Linden
Skickat: den 15 oktober 2019 11:31
Till: 'Alan Buxey' <alan....@myunidays.com>; 'Eskil Swahn' <eskil...@ldc.lu.se>
Kopia: assu...@lists.refeds.org
Ämne: RE: [REFEDS assurance] saml2int and REFEDS Assurance Framework

 

I agree with Alan. None of the AttributeValue elements below (as presented by https://attribute-viewer.aai.switch.ch/) is near 256 characters.

mikael

---

    <saml2:AttributeStatement>

        <saml2:Attribute

           FriendlyName="eduPersonAssurance"

           Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11"

           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

            <saml2:AttributeValue>

              https://refeds.org/assurance/ID/no-eppn-reassign

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/profile/espresso

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/IAP/med

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/IAP/local-enterprise

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/ATP/ePA-1m

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/ATP/ePA-1d

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/ID/unique

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/IAP/high

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/profile/cappuccino

            </saml2:AttributeValue>

            <saml2:AttributeValue>

              https://refeds.org/assurance/IAP/low

            </saml2:AttributeValue>

        </saml2:Attribute>

 

 

From: assuranc...@lists.refeds.org [mailto:assuranc...@lists.refeds.org] On Behalf Of Alan Buxey
Sent: tiistai 15. lokakuuta 2019 11.26
To: Eskil Swahn <eskil...@ldc.lu.se>
Cc: assu...@lists.refeds.org
Subject: Re: [REFEDS assurance] saml2int and REFEDS Assurance Framework

 

hi,

Tuesday morning naivety and lack of coffee here perhaps.... buts arent
all of those values encapsulated within their own
"<saml:AttributeValue> </saml:AttributeValue>" wrapper?


alan

signature.asc

Nick Roy

unread,
Oct 15, 2019, 3:38:32 PM10/15/19
to Eskil Swahn, WG-FI, Mikael Linden, Pål Axelsson, assu...@lists.refeds.org

https://github.com/KantaraInitiative/SAMLprofiles/pull/140

On 15 Oct 2019, at 13:18, Eskil Swahn wrote:

Well, a first shot would be to just add a few words to the sentence so it reads "Unless otherwise specified, deployments MUST limit the size of all element and attribute content they produce to a maximal size of 256 characters per instance of element or attribute.” perhaps.

With Kindest Regards

Eskil Swahn

IT Architect | LDC, Lund University
Margaretavägen 1A | SE-222 40 Lund
ServiceDesk: +46 46 222 90 00





On 15 Oct 2019, at 21:14, Nick Roy <nr...@internet2.edu> wrote:

Agreed!

Contributions of suggested wording are always appreciated either as pull requests at https://github.com/KantaraInitiative/SAMLprofiles, issues opened there, or via email to wg...@kantarainitiative.org. 

Best,

Nick

On 15 Oct 2019, at 13:12, Eskil Swahn wrote:

Hi,

This discussion is fairly clear evidence that the present wording is not clear. Far from being an expert on XML-parsing, I must say that even though I don’t in any way doubt Alan’s explanation, it is not clearly backed up by the original wording quoted by Pål. Doesn’t seem that hard to change the wording to make it clear that the max size of 256 characters is per value in a multi-value attribute either.

With Kindest Regards

Eskil Swahn

IT Architect | LDC, Lund University
Margaretavägen 1A | SE-222 40 Lund
ServiceDesk: +46 46 222 90 00




signature.asc

Walter Forbes Hoehn, Jr. (wassa)

unread,
Oct 15, 2019, 4:07:47 PM10/15/19
to Nick Roy, WG-FI, Mikael Linden, Pål Axelsson, Eskil Swahn, assu...@lists.refeds.org
I think that any confusion in this regard stems from the ambiguity between SAML attributes and XML attributes. In general, we tried to resolve this in the implementation profile by referring to "XML attributes" whenever the interpretation of "attribute" seemed obscure. IIP-G02 could probably have benefitted from this approach, but the reference to xs:string seemed to obviate the need.

My suggestion would be that we make it clear that we are talking about content of type xs:string. As XML is hierarchical, the proposed phrase "per element or attribute" doesn't clarify to me the substance of the requirement.

-WFH
> _______________________________________________
> WG-FI mailing list
> WG...@kantarainitiative.org
> https://kantarainitiative.org/mailman/listinfo/wg-fi

_______________________________________________
WG-FI mailing list
WG...@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-fi

Eric Goodman

unread,
Oct 15, 2019, 5:32:00 PM10/15/19
to assu...@lists.refeds.org, WG-FI

I would be inclined to just s/all/each/

 

Unless otherwise specified, deployments MUST limit the size of each element and attribute content they produce to 256 characters.

 

Though “each attribute content” is an odd phrase; not sure if “content” is the right XML noun to use there with that construction.

 

--- Eric

 

 

From: Eskil Swahn <eskil...@ldc.lu.se>
Sent: Tuesday, October 15, 2019 12:57 PM
To: Nick Roy <nr...@internet2.edu>
Cc: Eric Goodman <Eric.G...@ucop.edu>; Pål Axelsson <p...@sunet.se>; Mikael Linden <mikael...@csc.fi>; Alan Buxey <alan....@myunidays.com>; assu...@lists.refeds.org; WG-FI <wg...@kantarainitiative.org>
Subject: Re: [REFEDS assurance] saml2int and REFEDS Assurance Framework

 

I did add “.. produce to a maximal size of 256 characters ..”.

 

Not sure whether you noticed it and didn’t agree or didn’t notice.. =)

Wessel, Keith

unread,
Oct 15, 2019, 5:35:35 PM10/15/19
to Eric Goodman, assu...@lists.refeds.org, WG-FI

Size of each element and content of each attribute?

 

Wordsmithing to death,

Keith

Cantor, Scott

unread,
Oct 15, 2019, 6:50:26 PM10/15/19
to Eric Goodman, WG-FI
My experience is that when maybe one or two people claim confusion, it's simpler to just answer the question outright and not wordsmith it over much.

> Unless otherwise specified, deployments MUST limit the size of
> each element and attribute content they produce to 256 characters.

...each XML element's and XML attribute's content they produce...

-- Scott

Eric Goodman

unread,
Oct 15, 2019, 7:28:12 PM10/15/19
to Cantor, Scott, WG-FI
Works for me. Again, main point being "each" rather than "all", since it's more precise.

--- Eric

Wessel, Keith

unread,
Oct 15, 2019, 10:10:14 PM10/15/19
to WG-FI
Agreed. It's easy to get carried away if you try to please all the people all the time. I'm happy with this. We'll touch base on the call tomorrow in case there's any other discussion, but it doesn't sound like there will be.

Keith


-----Original Message-----
From: WG-FI <wg-fi-...@kantarainitiative.org> On Behalf Of Eric Goodman

Nick Roy

unread,
Oct 16, 2019, 5:26:15 PM10/16/19
to Wessel, Keith, WG-FI, assu...@lists.refeds.org

I’ve killed the PR pending some additional wording changes to be proposed by Scott Cantor. Current state is: https://github.com/KantaraInitiative/SAMLprofiles/commit/c42892c2179601f1180ff70a9f42e8d680b729f2

I see there is also a discussion on the REFEDS slack tenant. It would be helpful if all conversations related to this document stream could be directed to wg...@kantarainitiative.org.

Best,

Nick

_______________________________________________

signature.asc
Reply all
Reply to author
Forward
0 new messages