[OGSA-AUTHZ] VOMS Attribute Profile
David Chadwick
d.w.chadwick at kent.ac.uk
Wed Nov 28 06:58:47 CST 2007
Hi Tom
we have already thought of this, and documented in the XACML profile how
the various components of a VOMS FQAN are mapped into XACML attributes
ready for passing to the PDP. The assumption is that the FQAN, which is
simply a long string of various components, is passed by VOMS as a one
long string based attribute with an attribute type of urn:oid:
1.3.6.1.4.1.8005.100.100.4
Have a look at the table in section 4.2.1 of the XACML profile for more
details
regards
David
Tom Scavo wrote:
> A relatively simple way to implement an Extended Mode X.509 Attribute
> Query/Responder or Extended Mode X.509 Attribute Self-Query/Responder
> (both server-side components) is to deploy a Shibboleth Attribute
> Resolver in front of a VOMS attribute store. To do this, I would need
> to understand the VOMS schema (which I don't, but I assume I could
> look this up somewhere) but more importantly I'd need to know how to
> map a VOMS attribute to SAML. We've talked about this some on this
> list, but my question is: Is there a document that describes how to
> map a VOMS attribute to SAML?
>
> I suspect there is no such thing, so it seems we need a VOMS Attribute
> Profile for SAML, that is, a document that shows how to map VOMS
> attributes to SAML attributes. The structure of that profile would
> follow the attribute profiles in section 8 of the SAML V2.0 Profiles
> specification:
>
> http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
>
> At first I thought there should be a section on VOMS attributes in the
> OGSA Attribute Exchange Profile, but the more I think about it, the
> more I think it should be separate.
>
> Thoughts?
>
> Tom Scavo
> NCSA
> --
> ogsa-authz-wg mailing list
> ogsa-authz-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list