[OGSA-AUTHZ] checkpointing the discussion on VO attributes
Tom Scavo
trscavo at gmail.com
Mon Jan 21 17:50:11 CST 2008
Hi Krzysztof,
On Jan 21, 2008 6:15 PM, Krzysztof Benedyczak <golbi at mat.uni.torun.pl> wrote:
> Valerio Venturi wrote:
>
> > There were concerns about Tom's proposal to use Grouper to express
> > groups, specifically about the contents being an URN. Anyway, the
> > specification doesn't mandate them to be URN, it recommends to use URIs
> > is uniqueness is to eb achieved.
>
> Please excuse me if I'll be totally wrong here. By any mean I'm not
> Grouper (or Signet) expert.
> From what I recall, in Grouper groups are expressed as
> [grp1]:[subgrp2]:..., and stems as it was proposed: stem1:stem2:...
> Anyway Grouper doesn't publish this information directly by means of
> SAML but indirectly, e.g. through LDAP using ldappc and then via Shib IdP.
>
> If I'm right here then the ':' instead of '/' as delimiter gives as
> little advantage and we can stick to quite popular and for me more
> intuitive VOMS syntax.
> If I'm wrong then probably we should change to ':'.
You're correct. I was thinking there might be some benefit to specify
groups as URNs, but there doesn't seem to be any justification in
that.
> In any case we must clearly define syntax of a group name (e.g.
> currently our service does allow for ':' in it) and comparison rules (as
> case sensitiveness).
Why not use the naming and comparison rules of the SAML Basic
Attribute? (See sections 8.1.2 and 8.1.2.1 of [SAML2Prof].) No need
to reinvent the wheel here.
Tom
More information about the ogsa-authz-wg
mailing list