On 11/27/07, Valerio Venturi <valerio.venturi@cnaf.infn.it> wrote:
On Sun, 2007-11-25 at 22:01 -0500, Tom Scavo wrote:
One thing that still bothers me is the language regarding the XACML Attribute Profile in section 4.1.
I think you're right. For example this would rule out SAML authorities releasing MACE-Dir attributes.
I'm glad you agree :-)
The aim here is to facilitate integration with XACML Policy Decision Point, because when a SAML attribute is conformant to the XACML Attribute Profile, the SAML Profile for XACML says how to translate it to an XACML Attribute. Anyway, applications may want to use SAML attribute that aren't conformant to the XACML profile and define their rules for translating them.
Exactly.
We can definitely relax the language, and may be use a conformance target here as well, so that consumers will know whether to expect something that they are sure to be able to translate or not.
There are two ways an SP can communicate its desire with respect to attributes: in the AttributeQuery and via metadata. For example, the SP can indicate attribute requirements in the query itself, using something like: <saml:Attribute xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML" xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string" xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP" ldapprof:Encoding="LDAP" Name="urn:oid:2.5.4.42" FriendlyName="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> which tells the IdP to return the givenName attribute formatted according to both the XACML Attribute Profile and the LDAP/X.500 Attribute Profile. A query containing the previous Attribute element results in an Attribute like the one listed in section 8.5.6 of the SAML V2.0 Profiles spec: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf The other approach is to use SAML metadata. See sections 3.8 and 4.6 of the Deployment Profiles: http://wiki.oasis-open.org/security/SstcSaml2X509ProfilesDeploy In particular, note the use of <md:AttributeProfile> in IdP metadata and <saml:Attribute> in SP metadata. So it seems the issue of attribute format is covered pretty well by existing specs. As far as I can tell, the OGSA Attribute Exchange Profile requires no additional normative language regarding attribute format. However, it may want to call out the various possibilities as described above. Hope this helps, Tom