Hi Valerio, Thanks for writing up this profile. I would call it a "VOMS Attribute Profile for SAML V2.0," but regardless of the title, I think it's ultimately a very important document for VOMS-SAML interoperability. Your profile diverges from existing SAML profiles and conventions in a number of important ways. I'll highlight just a few of these distinctions in the comments below: - I could be wrong, but I believe what you call a "VO" corresponds to an instance of VOMS, in which case membership in a VO (example 8.1) is akin to a Shibboleth AA asserting an attribute called eduPersonScopedAffiliation: <saml:Attribute xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML" xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP" xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string" ldapprof:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" FriendlyName="eduPersonScopedAffiliation"> <saml:AttributeValue xsi:type="xs:string">member@voName</saml:AttributeValue> </saml:Attribute> The above attribute satisfies three existing profiles: 1. X.500/LDAP Attribute Profile for SAML V2.0 2. XACML Attribute Profile for SAML V2.0 3. MACE-Dir Attribute Profile for SAML 2.0 The first two are specified in [SAML2Prof] while the latter is found here: http://middleware.internet2.edu/dir/docs/draft-internet2-mace-dir-saml-attri... Conformance to the MACE-Dir Attribute Profile is important for interoperability, I think. (By the way, if I'm right, and VOMS is analogous to a Shibboleth AA, then every VOMS instance needs a unique identifier called an entityID. This entityID must be a URI (not a DN), otherwise the Grid SP can not use SAML metadata.) - In 2005, MACE-Dir-Groups (http://middleware.internet2.edu/dir/groups/) specified a LDAP representation of the isMemberOf attribute: http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membe... So, your example 8.2 can be expressed as follows: <saml:Attribute xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML" xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP" xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string" ldapprof:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" FriendlyName="isMemberOf"> <saml:AttributeValue xsi:type="xs:string">voName:group</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">voName:group:subgroup</saml:AttributeValue> </saml:Attribute> Here, the group hierarchy is denoted with colons (not slashes), which agrees with Grouper (the follow-on project to MACE-Dir-Groups): http://grouper.internet2.edu/ Using this notation, a group name is simply an URN. One last comment and I'll stop and let you respond. I would try to avoid defining a scope attribute for the <AttributeValue> element. As you'll see in the MACE-Dir Attribute Profile, Shibboleth defined a Scope attribute early on, an unfortunate incident that the project regrets to this day. Indeed, much of their profile exists solely to work around this legacy Scope attribute. Even though your proposed scope attribute is namespace qualified, it strikes me as a step backward. Tom On Jan 4, 2008 5:55 AM, Valerio Venturi <valerio.venturi@cnaf.infn.it> wrote:
Attached is a doc version.
Valerio
Valerio Venturi wrote:
Hi, following (with an embarassing delay) Tom Scavo's mail on defining a SAML profile for VOMS attribute, I'm posting a document Krzysztof Benedyczak and I was editing with initial thoughts on the matter. I'm not uploading it to gridforge until it's more complete than it is now. If the issue raise interest and we manage to agree on a document, we may ask Blair and DavidG about a possible recommendification, though I think that not being in the current charter make it difficult. Let's see, the discussion is anyway usefull.
I profit to wish everybody a nice holiday.
Valerio
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg