Hello Tom, Tom Scavo wrote:
Hi Krzysztof,
On Jan 21, 2008 6:15 PM, Krzysztof Benedyczak <golbi@mat.uni.torun.pl> wrote:
Valerio Venturi wrote:
There were concerns about Tom's proposal to use Grouper to express groups, specifically about the contents being an URN. Anyway, the specification doesn't mandate them to be URN, it recommends to use URIs is uniqueness is to eb achieved. Please excuse me if I'll be totally wrong here. By any mean I'm not Grouper (or Signet) expert. From what I recall, in Grouper groups are expressed as [grp1]:[subgrp2]:..., and stems as it was proposed: stem1:stem2:... Anyway Grouper doesn't publish this information directly by means of SAML but indirectly, e.g. through LDAP using ldappc and then via Shib IdP.
If I'm right here then the ':' instead of '/' as delimiter gives as little advantage and we can stick to quite popular and for me more intuitive VOMS syntax. If I'm wrong then probably we should change to ':'.
You're correct. I was thinking there might be some benefit to specify groups as URNs, but there doesn't seem to be any justification in that.
In any case we must clearly define syntax of a group name (e.g. currently our service does allow for ':' in it) and comparison rules (as case sensitiveness).
Why not use the naming and comparison rules of the SAML Basic Attribute? (See sections 8.1.2 and 8.1.2.1 of [SAML2Prof].) No need to reinvent the wheel here. In case of SAML attribute's name you are of course right. But I was
Great, so I guess we have one more issue resolved. thinking about SAML attribute's *value* (group's name in this case). E.g. is '/Vo1/gr::#?>' legal or not. Krzysztof