[OGSA-AUTHZ] VO SAML Attribute Profile
Tom Scavo
trscavo at gmail.com
Mon Feb 4 01:18:36 CST 2008
On Jan 17, 2008 3:33 AM, Krzysztof Benedyczak <golbi at mat.uni.torun.pl> wrote:
> Tom Scavo wrote:
> >
> > <saml:Attribute
> > xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> > xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
> > xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
> > ldapprof:Encoding="LDAP"
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> > Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
> > FriendlyName="isMemberOf">
> > <saml:AttributeValue
> > xsi:type="xs:string">voName:group</saml:AttributeValue>
> > <saml:AttributeValue
> > xsi:type="xs:string">voName:group:subgroup</saml:AttributeValue>
> > </saml:Attribute>
> >
> > Using this notation, a group name is simply an URN.
>
> I don't think it is an URN - no 'urn:' prefix, no NSS part (which should
> determine syntactic rules for the tail). Also it clearly offends the
> RFC in the point:
> "Global uniqueness: The same URN will never be assigned to two
> different resources".
>
> Of course I agree that interoperability with the software like Grouper
> is desirable. But except of it, do we have any other reasons for making
> it an URN?
Of course you're right, Krzysztof. I didn't quite take the example
far enough. Since I wrote the above example, however, I've had a
change of heart. Maybe a URL is easier to deal with than an URN.
Consider the following deployment scenario involving a (real) VO,
groups, and roles.
Suppose, for example, UIUC and UIowa jointly offer a graduate-level
geography course (GEOG 602) to advanced undergraduate and graduate
students at both institutions. The first semester this joint course
is offered, it is agreed that the GISolve gateway (VO name:
http://gisolve.org) deployed at UIUC will support all students taking
the course. Consequently, each student is obliged to obtain a GISolve
gateway account at http://www.gisolve.org/.
Now it turns out that the GISolve gateway proxies grid requests to a
resource provider (RP) on the back end. To distinguish grid requests
originating from the two groups of users (uiuc.edu and uiowa.edu), the
RP (hosted by NCSA at UIUC) requires isMemberOf attributes with one of
the following values:
http://gisolve.org/uiuc.edu/geog602
http://gisolve.org/uiowa.edu/geog602
To further distinguish requests, the gateway and RP together define
roles (faculty, student, admin, etc.) that are appended to the
relevant isMemberOf attribute values using familiar URL notation. For
example, to distinguish between students at each of the two
institutions, the following attribute values are defined:
http://gisolve.org/uiuc.edu/geog602#student
http://gisolve.org/uiowa.edu/geog602#student
Attributes values such as these have a number of desirable properties.
First of all, the VO already owns the namespace, so globally unique
attribute values are immediately available. Moreover, URLs are easily
parsed by most languages, so processing is a snap.
Does anyone see a downside to such a naming scheme?
Tom
More information about the ogsa-authz-wg
mailing list