[OGSA-AUTHZ] comments updates

Tom Scavo trscavo at gmail.com
Tue Nov 27 09:55:23 CST 2007 

On 11/27/07, Valerio Venturi <valerio.venturi at cnaf.infn.it> wrote:
> On Sun, 2007-11-25 at 22:01 -0500, Tom Scavo wrote:
> >
> > One thing that still bothers me is the language regarding the XACML
> > Attribute Profile in section 4.1.
>
> I think you're right. For example this would rule out SAML authorities
> releasing MACE-Dir attributes.

I'm glad you agree :-)

> The aim here is to facilitate integration with XACML Policy Decision
> Point, because when a SAML attribute is conformant to the XACML
> Attribute Profile, the SAML Profile for XACML says how to translate it
> to an XACML Attribute. Anyway, applications may want to use SAML
> attribute that aren't conformant to the XACML profile and define their
> rules for translating them.

Exactly.

> We can definitely relax the language, and
> may be use a conformance target here as well, so that consumers will
> know whether to expect something that they are sure to be able to
> translate or not.

There are two ways an SP can communicate its desire with respect to
attributes: in the AttributeQuery and via metadata.  For example, the
SP can indicate attribute requirements in the query itself, using
something like:

<saml:Attribute
  xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
  xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
  xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
  ldapprof:Encoding="LDAP"
  Name="urn:oid:2.5.4.42" FriendlyName="givenName"
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

which tells the IdP to return the givenName attribute formatted
according to both the XACML Attribute Profile and the LDAP/X.500
Attribute Profile.  A query containing the previous Attribute element
results in an Attribute like the one listed in section 8.5.6 of the
SAML V2.0 Profiles spec:

http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

The other approach is to use SAML metadata.  See sections 3.8 and 4.6
of the Deployment Profiles:

http://wiki.oasis-open.org/security/SstcSaml2X509ProfilesDeploy

In particular, note the use of <md:AttributeProfile> in IdP metadata
and <saml:Attribute> in SP metadata.

So it seems the issue of attribute format is covered pretty well by
existing specs.  As far as I can tell, the OGSA Attribute Exchange
Profile requires no additional normative language regarding attribute
format.  However, it may want to call out the various possibilities as
described above.

Hope this helps,
Tom

More information about the ogsa-authz-wg mailing list