Hello Tom, Just two notes as in principle I agree with all comments Valerio has already made. Tom Scavo wrote:
So, your example 8.2 can be expressed as follows:
<saml:Attribute xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML" xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP" xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string" ldapprof:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" FriendlyName="isMemberOf"> <saml:AttributeValue xsi:type="xs:string">voName:group</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">voName:group:subgroup</saml:AttributeValue> </saml:Attribute>
Here, the group hierarchy is denoted with colons (not slashes), which agrees with Grouper (the follow-on project to MACE-Dir-Groups):
Using this notation, a group name is simply an URN.
I don't think it is an URN - no 'urn:' prefix, no NSS part (which should determine syntactic rules for the tail). Also it clearly offends the RFC in the point: "Global uniqueness: The same URN will never be assigned to two different resources". Of course I agree that interoperability with the software like Grouper is desirable. But except of it, do we have any other reasons for making it an URN?
One last comment and I'll stop and let you respond. I would try to avoid defining a scope attribute for the <AttributeValue> element. As you'll see in the MACE-Dir Attribute Profile, Shibboleth defined a Scope attribute early on, an unfortunate incident that the project regrets to this day. Indeed, much of their profile exists solely to work around this legacy Scope attribute. Even though your proposed scope attribute is namespace qualified, it strikes me as a step backward. Can you elaborate on this a little bit more? I think it is the most important and difficult topic in case of the discussed profile. Do you suggest to drop scope information at all or to encode it in different way or in different place? Can you also give more details why it was so "unfortunate" for MACE-Dir? We obviously don't want to repeat the same mistake.
Best regards, Krzysztof