[OGSA-AUTHZ] VO SAML Attribute Profile

Krzysztof Benedyczak golbi at mat.uni.torun.pl
Thu Jan 17 02:33:25 CST 2008 

Hello Tom,

Just two notes as in principle I agree with all comments Valerio has 
already made.

Tom Scavo wrote:
> So, your example 8.2 can be expressed as follows:
> 
> <saml:Attribute
>   xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
>   xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
>   xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
>   ldapprof:Encoding="LDAP"
>   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>   Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
>   FriendlyName="isMemberOf">
>   <saml:AttributeValue
>     xsi:type="xs:string">voName:group</saml:AttributeValue>
>   <saml:AttributeValue
>     xsi:type="xs:string">voName:group:subgroup</saml:AttributeValue>
> </saml:Attribute>
> 
> Here, the group hierarchy is denoted with colons (not slashes), which
> agrees with Grouper (the follow-on project to MACE-Dir-Groups):
> 
> http://grouper.internet2.edu/
> 
> Using this notation, a group name is simply an URN.

I don't think it is an URN - no 'urn:' prefix, no NSS part (which should 
  determine syntactic rules for the tail). Also it clearly offends the 
RFC in the point:
"Global uniqueness: The same URN will never be assigned to two
different resources".

Of course I agree that interoperability with the software like Grouper 
is desirable. But except of it, do we have any other reasons for making 
it an URN?


> One last comment and I'll stop and let you respond.  I would try to
> avoid defining a scope attribute for the <AttributeValue> element.  As
> you'll see in the MACE-Dir Attribute Profile, Shibboleth defined a
> Scope attribute early on, an unfortunate incident that the project
> regrets to this day.  Indeed, much of their profile exists solely to
> work around this legacy Scope attribute.  Even though your proposed
> scope attribute is namespace qualified, it strikes me as a step
> backward.
Can you elaborate on this a little bit more? I think it is the most 
important and difficult topic in case of the discussed profile.
Do you suggest to drop scope information at all or to encode it in 
different way or in different place?
Can you also give more details why it was so "unfortunate" for MACE-Dir? 
  We obviously don't want to repeat the same mistake.

Best regards,
Krzysztof

More information about the ogsa-authz-wg mailing list