TAS3 network may contain various attribute authorities. Every
Identity Provider may act as an attribute authority by including
Problem with a push mechanism is knowing which attributes to push. A possible solution is for the Front End to express its attribute needs using a SAML extension, such as [Kellomaki08]. However, usually a better solution is to implement pull model Attribute Authority, i.e. the attribute authority is simply a web service.
There are several ways of implementing a data web service. [SAML2prof] specifies AttributeQuery protocol, but does not adequately specify the transport binding and peer authentication. TAS3 attribute authority SHOULD support [SAML2prof] AttributeQuery protocol using TAS3 SOAP binding, see section 2.3.2.
Other data web services, such as ID-DAP [IDDAP] over TAS3 SOAP binding, MAY be supported. A deployment may also make local or proprietary arrangements for accessing a non TAS3 attribute authority, e.g. using LDAP [RFC2251] or WebDAV with file containing attribute certificate or SAML attribute assertion.