[OGSA-AUTHZ] VO SAML Attribute Profile

Tom Scavo trscavo at gmail.com
Sun Jan 13 19:31:35 CST 2008 

Hi Valerio,

Thanks for writing up this profile.  I would call it a "VOMS Attribute
Profile for SAML V2.0," but regardless of the title, I think it's
ultimately a very important document for VOMS-SAML interoperability.

Your profile diverges from existing SAML profiles and conventions in a
number of important ways.  I'll highlight just a few of these
distinctions in the comments below:

- I could be wrong, but I believe what you call a "VO" corresponds to
an instance of VOMS, in which case membership in a VO (example 8.1) is
akin to a Shibboleth AA asserting an attribute called
eduPersonScopedAffiliation:

<saml:Attribute
  xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
  xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
  xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
  ldapprof:Encoding="LDAP"
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
  FriendlyName="eduPersonScopedAffiliation">
  <saml:AttributeValue
    xsi:type="xs:string">member at voName</saml:AttributeValue>
</saml:Attribute>

The above attribute satisfies three existing profiles:

1. X.500/LDAP Attribute Profile for SAML V2.0
2. XACML Attribute Profile for SAML V2.0
3. MACE-Dir Attribute Profile for SAML 2.0

The first two are specified in [SAML2Prof] while the latter is found here:

http://middleware.internet2.edu/dir/docs/draft-internet2-mace-dir-saml-attributes-latest.pdf

Conformance to the MACE-Dir Attribute Profile is important for
interoperability, I think.

(By the way, if I'm right, and VOMS is analogous to a Shibboleth AA,
then every VOMS instance needs a unique identifier called an entityID.
 This entityID must be a URI (not a DN), otherwise the Grid SP can not
use SAML metadata.)

- In 2005, MACE-Dir-Groups
(http://middleware.internet2.edu/dir/groups/) specified a LDAP
representation of the isMemberOf attribute:

http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html

So, your example 8.2 can be expressed as follows:

<saml:Attribute
  xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
  xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
  xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
  ldapprof:Encoding="LDAP"
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
  FriendlyName="isMemberOf">
  <saml:AttributeValue
    xsi:type="xs:string">voName:group</saml:AttributeValue>
  <saml:AttributeValue
    xsi:type="xs:string">voName:group:subgroup</saml:AttributeValue>
</saml:Attribute>

Here, the group hierarchy is denoted with colons (not slashes), which
agrees with Grouper (the follow-on project to MACE-Dir-Groups):

http://grouper.internet2.edu/

Using this notation, a group name is simply an URN.

One last comment and I'll stop and let you respond.  I would try to
avoid defining a scope attribute for the <AttributeValue> element.  As
you'll see in the MACE-Dir Attribute Profile, Shibboleth defined a
Scope attribute early on, an unfortunate incident that the project
regrets to this day.  Indeed, much of their profile exists solely to
work around this legacy Scope attribute.  Even though your proposed
scope attribute is namespace qualified, it strikes me as a step
backward.

Tom

On Jan 4, 2008 5:55 AM, Valerio Venturi <valerio.venturi at cnaf.infn.it> wrote:
>
> Attached is a doc version.
>
> Valerio
>
>
> Valerio Venturi wrote:
> > Hi,
> > following (with an embarassing delay) Tom Scavo's mail on defining a
> > SAML profile for VOMS attribute, I'm posting a document Krzysztof
> > Benedyczak and I was editing with initial thoughts on the matter.
> > I'm not uploading it to gridforge until it's more complete than it is
> > now.
> > If the issue raise interest and we manage to agree on a document, we may
> > ask Blair and DavidG about a possible recommendification, though I think
> > that not being in the current charter make it difficult. Let's see, the
> > discussion is anyway usefull.
> >
> > I profit to wish everybody a nice holiday.
> >
> > Valerio
> >
>
>
> --
>   ogsa-authz-wg mailing list
>   ogsa-authz-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>

More information about the ogsa-authz-wg mailing list