[OGSA-AUTHZ] VO SAML Attribute Profile

Krzysztof Benedyczak golbi at mat.uni.torun.pl
Sun Jan 20 05:46:51 CST 2008 

Chad La Joie wrote:
> 
> Krzysztof Benedyczak wrote:
>>> - In section 4.1, if you really want that kind of syntax you *may* 
>>> want to define a special schema type for that encoding, something 
>>> along the lines of (regexp could be made more precise):
>>>
>>> <xsd:simpleType name="groupQualifiedString">
>>>     <xsd:restriction type="xsd:string">
>>>        <xsd:pattern value=".+@(/.+)*" />
>>>     <xsd:restriction>
>>> </xsd:simpleType>
>>>
>> Of course - however this pattern depends on the details that weren't 
>> fully agreed (example: do we use this syntax only for roles or other 
>> attributes too? If so empty values may be permitted before @ what 
>> influences the pattern).
>>
>> I have another remark here. The initial aim of attributes encoded in the 
>> '@' fashion was to simplify creation of XACML policies, with 
>> requirements for an attribute in a group scope. Having a simple string 
>> as a value isn't enough when we use a non-standard XACML DataType (i.e. 
>> it will require also a non-standard comparison function). So I'd like to 
>> change the requirement for DataType to be a '...#string' here, what in 
>> turn requires the schema of the attribute value to be 'xsd:string'.
>>
>> What do you think?
> 
> Yeah, the only way you can really do this type of encoding is over 
> string data types.  Depending on what you mean by "requires the schema 
> of the attribute value to be 'xsd:string'" that may or may not be 
> correct.  The type certainly has to be an instance of xsd:string, but it 
> could done like the schema fragment I had.  The "groupQualifiedString" 
> type is still an "xsd:string".
> 
My concern was about SAML XACML profile. Exactly p. 8.5.4:
"The syntax of the <AttributeValue> element's content MUST correspond to 
the data type expressed in the profile-specific DataType XML attribute 
appearing in the parent <Attribute> element. For data types 
corresponding to the types defined in Section 3.3 of [Schema2], the 
xsi:type XML attribute SHOULD also be used on the <AttributeValue> 
element(s)."

I was not sure if it will be all right with this profile to put 
"DataType=...#string" and xsi:type="restrictedString". But probably it 
was my misinterpretation and then the proposed schema is fine.


>>> - Definitely agree that the encoding method described in section 4.2 
>>> should be dumped for the reasons given in other responses.
>> So here is the most significant problem for me. I'm not going to reduce 
>> functionality of the service because there exist poor clients which can 
>> produce error on SAML response from my service. And I need a way to 
>> encode arbitrary type of value which is group scoped (e.g. a XML value).
>>
>> One solution I can see is to limit the VO attributes profile to 
>> enumerated attributes only (group, VO, role) which are well established, 
>> have common sense and we can enforce the common encoding for them.
>>
>> Then the only way for a client to get attributes with the scope encoded 
>> as in 4.2 would be to ask for all attributes or for all values of some 
>> attribute.
>>
>> Is it fine for you? Or maybe other suggestions?
> 
> My concerns here are not with the clients that can't support it, but the 
> ones who crash because of it.  I would also not include something in the 
> spec unless you're actually going to use it in the spec.
Frankly I don't understand the last sentence. Can you explain it, please?

Best regards,
Krzysztof

More information about the ogsa-authz-wg mailing list