[OGSA-AUTHZ] checkpointing the discussion on VO attributes
Krzysztof Benedyczak
golbi at mat.uni.torun.pl
Mon Jan 21 18:10:28 CST 2008
Hello Tom,
Tom Scavo wrote:
> Hi Krzysztof,
>
> On Jan 21, 2008 6:15 PM, Krzysztof Benedyczak <golbi at mat.uni.torun.pl> wrote:
>> Valerio Venturi wrote:
>>
>>> There were concerns about Tom's proposal to use Grouper to express
>>> groups, specifically about the contents being an URN. Anyway, the
>>> specification doesn't mandate them to be URN, it recommends to use URIs
>>> is uniqueness is to eb achieved.
>> Please excuse me if I'll be totally wrong here. By any mean I'm not
>> Grouper (or Signet) expert.
>> From what I recall, in Grouper groups are expressed as
>> [grp1]:[subgrp2]:..., and stems as it was proposed: stem1:stem2:...
>> Anyway Grouper doesn't publish this information directly by means of
>> SAML but indirectly, e.g. through LDAP using ldappc and then via Shib IdP.
>>
>> If I'm right here then the ':' instead of '/' as delimiter gives as
>> little advantage and we can stick to quite popular and for me more
>> intuitive VOMS syntax.
>> If I'm wrong then probably we should change to ':'.
>
> You're correct. I was thinking there might be some benefit to specify
> groups as URNs, but there doesn't seem to be any justification in
> that.
Great, so I guess we have one more issue resolved.
>> In any case we must clearly define syntax of a group name (e.g.
>> currently our service does allow for ':' in it) and comparison rules (as
>> case sensitiveness).
>
> Why not use the naming and comparison rules of the SAML Basic
> Attribute? (See sections 8.1.2 and 8.1.2.1 of [SAML2Prof].) No need
> to reinvent the wheel here.
In case of SAML attribute's name you are of course right. But I was
thinking about SAML attribute's *value* (group's name in this case).
E.g. is '/Vo1/gr::#?>' legal or not.
Krzysztof
More information about the ogsa-authz-wg
mailing list