Some comments on OGSA Attribute Exchange Profile v1.0 - not much to say on this as the document is largely based on referring to other specs. Cheers, R. -- Professor Richard O. Sinnott Technical Director National e-Science Centre University of Glasgow, Glasgow G12 8QQ Tel: +44-(0)141-330-8606 Fax: -8625 Mob: 0795-2376627 Email: r.sinnott@nesc.gla.ac.uk
Hi Richard, All your comments are understood (and appreciated!) except the one labeled "ros2". What is your specific comment regarding these standard SAML namespaces and namespace prefixes? Thanks, Tom On 11/20/07, Richard Sinnott <r.sinnott@nesc.gla.ac.uk> wrote:
Some comments on OGSA Attribute Exchange Profile v1.0 - not much to say on this as the document is largely based on referring to other specs.
Cheers, R. -- Professor Richard O. Sinnott Technical Director National e-Science Centre University of Glasgow, Glasgow G12 8QQ Tel: +44-(0)141-330-8606 Fax: -8625 Mob: 0795-2376627 Email: r.sinnott@nesc.gla.ac.uk
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
This section has strange formatting for me - actually it appears as a collection of musical notes (semi-quavers etc). It is probably just a font which my Windows XP laptop doesn't have and it is improvising (badly)? R. -----Original Message----- From: Tom Scavo [mailto:trscavo@gmail.com] Sent: 20 November 2007 16:50 To: Richard Sinnott Cc: OGSA AUTHZ WG Subject: Re: [OGSA-AUTHZ] comments updates Hi Richard, All your comments are understood (and appreciated!) except the one labeled "ros2". What is your specific comment regarding these standard SAML namespaces and namespace prefixes? Thanks, Tom On 11/20/07, Richard Sinnott <r.sinnott@nesc.gla.ac.uk> wrote:
Some comments on OGSA Attribute Exchange Profile v1.0 - not much to say on this as the document is largely based on referring to other
specs.
Cheers, R. -- Professor Richard O. Sinnott Technical Director National e-Science Centre University of Glasgow, Glasgow G12 8QQ Tel: +44-(0)141-330-8606 Fax: -8625 Mob: 0795-2376627 Email: r.sinnott@nesc.gla.ac.uk
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
Ah, I see. FYI, I have a Windows XP laptop and it views fine. I see the problem, however. The table is formatted in a little-used font, which apparently your laptop doesn't have. The solution is to change the font to something more mainstream, like Courier New. Thanks, Tom On 11/20/07, Richard Sinnott <r.sinnott@nesc.gla.ac.uk> wrote:
This section has strange formatting for me - actually it appears as a collection of musical notes (semi-quavers etc).
It is probably just a font which my Windows XP laptop doesn't have and it is improvising (badly)?
R.
-----Original Message----- From: Tom Scavo [mailto:trscavo@gmail.com] Sent: 20 November 2007 16:50 To: Richard Sinnott Cc: OGSA AUTHZ WG Subject: Re: [OGSA-AUTHZ] comments updates
Hi Richard,
All your comments are understood (and appreciated!) except the one labeled "ros2". What is your specific comment regarding these standard SAML namespaces and namespace prefixes?
Thanks, Tom
On 11/20/07, Richard Sinnott <r.sinnott@nesc.gla.ac.uk> wrote:
Some comments on OGSA Attribute Exchange Profile v1.0 - not much to say on this as the document is largely based on referring to other
specs.
Cheers, R. -- Professor Richard O. Sinnott Technical Director National e-Science Centre University of Glasgow, Glasgow G12 8QQ Tel: +44-(0)141-330-8606 Fax: -8625 Mob: 0795-2376627 Email: r.sinnott@nesc.gla.ac.uk
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
Richard, I've responded to your comments by drafting a new version of the document, thanks. Version 1.1 of the OGSA Attribute Exchange Profile is attached. I also took the opportunity to add some comments and wording changes of my own. One thing that still bothers me is the language regarding the XACML Attribute Profile in section 4.1. I think the language is too strong, but I left it as it is for the time being, until this has been discussed. Tom Scavo NCSA On 11/20/07, Tom Scavo <trscavo@gmail.com> wrote:
Ah, I see. FYI, I have a Windows XP laptop and it views fine. I see the problem, however. The table is formatted in a little-used font, which apparently your laptop doesn't have. The solution is to change the font to something more mainstream, like Courier New.
Thanks, Tom
On 11/20/07, Richard Sinnott <r.sinnott@nesc.gla.ac.uk> wrote:
This section has strange formatting for me - actually it appears as a collection of musical notes (semi-quavers etc).
It is probably just a font which my Windows XP laptop doesn't have and it is improvising (badly)?
R.
-----Original Message----- From: Tom Scavo [mailto:trscavo@gmail.com] Sent: 20 November 2007 16:50 To: Richard Sinnott Cc: OGSA AUTHZ WG Subject: Re: [OGSA-AUTHZ] comments updates
Hi Richard,
All your comments are understood (and appreciated!) except the one labeled "ros2". What is your specific comment regarding these standard SAML namespaces and namespace prefixes?
Thanks, Tom
On 11/20/07, Richard Sinnott <r.sinnott@nesc.gla.ac.uk> wrote:
Some comments on OGSA Attribute Exchange Profile v1.0 - not much to say on this as the document is largely based on referring to other
specs.
Cheers, R. -- Professor Richard O. Sinnott Technical Director National e-Science Centre University of Glasgow, Glasgow G12 8QQ Tel: +44-(0)141-330-8606 Fax: -8625 Mob: 0795-2376627 Email: r.sinnott@nesc.gla.ac.uk
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
Richard, I've responded to your comments by drafting a new version of the document, thanks. Version 1.1 of the OGSA Attribute Exchange Profile is attached. I also took the opportunity to add some comments and wording changes of my own.
One thing that still bothers me is the language regarding the XACML Attribute Profile in section 4.1. I think the language is too strong, but I left it as it is for the time being, until this has been discussed. I think you're right. For example this would rule out SAML authorities releasing MACE-Dir attributes. The aim here is to facilitate integration with XACML Policy Decision Point, because when a SAML attribute is conformant to the XACML Attribute Profile, the SAML Profile for XACML says how to translate it to an XACML Attribute. Anyway, applications may want to use SAML attribute that aren't conformant to the XACML profile and define their rules for translating them. We can definitely relax the language, and may be use a conformance target here as well, so that consumers will know whether to expect something that they are sure to be able to
On Sun, 2007-11-25 at 22:01 -0500, Tom Scavo wrote: translate or not. Valerio
Tom Scavo NCSA
On 11/20/07, Tom Scavo <trscavo@gmail.com> wrote:
Ah, I see. FYI, I have a Windows XP laptop and it views fine. I see the problem, however. The table is formatted in a little-used font, which apparently your laptop doesn't have. The solution is to change the font to something more mainstream, like Courier New.
Thanks, Tom
On 11/20/07, Richard Sinnott <r.sinnott@nesc.gla.ac.uk> wrote:
This section has strange formatting for me - actually it appears as a collection of musical notes (semi-quavers etc).
It is probably just a font which my Windows XP laptop doesn't have and it is improvising (badly)?
R.
-----Original Message----- From: Tom Scavo [mailto:trscavo@gmail.com] Sent: 20 November 2007 16:50 To: Richard Sinnott Cc: OGSA AUTHZ WG Subject: Re: [OGSA-AUTHZ] comments updates
Hi Richard,
All your comments are understood (and appreciated!) except the one labeled "ros2". What is your specific comment regarding these standard SAML namespaces and namespace prefixes?
Thanks, Tom
On 11/20/07, Richard Sinnott <r.sinnott@nesc.gla.ac.uk> wrote:
Some comments on OGSA Attribute Exchange Profile v1.0 - not much to say on this as the document is largely based on referring to other
specs.
Cheers, R. -- Professor Richard O. Sinnott Technical Director National e-Science Centre University of Glasgow, Glasgow G12 8QQ Tel: +44-(0)141-330-8606 Fax: -8625 Mob: 0795-2376627 Email: r.sinnott@nesc.gla.ac.uk
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
On 11/27/07, Valerio Venturi <valerio.venturi@cnaf.infn.it> wrote:
On Sun, 2007-11-25 at 22:01 -0500, Tom Scavo wrote:
One thing that still bothers me is the language regarding the XACML Attribute Profile in section 4.1.
I think you're right. For example this would rule out SAML authorities releasing MACE-Dir attributes.
I'm glad you agree :-)
The aim here is to facilitate integration with XACML Policy Decision Point, because when a SAML attribute is conformant to the XACML Attribute Profile, the SAML Profile for XACML says how to translate it to an XACML Attribute. Anyway, applications may want to use SAML attribute that aren't conformant to the XACML profile and define their rules for translating them.
Exactly.
We can definitely relax the language, and may be use a conformance target here as well, so that consumers will know whether to expect something that they are sure to be able to translate or not.
There are two ways an SP can communicate its desire with respect to attributes: in the AttributeQuery and via metadata. For example, the SP can indicate attribute requirements in the query itself, using something like: <saml:Attribute xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML" xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string" xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP" ldapprof:Encoding="LDAP" Name="urn:oid:2.5.4.42" FriendlyName="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> which tells the IdP to return the givenName attribute formatted according to both the XACML Attribute Profile and the LDAP/X.500 Attribute Profile. A query containing the previous Attribute element results in an Attribute like the one listed in section 8.5.6 of the SAML V2.0 Profiles spec: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf The other approach is to use SAML metadata. See sections 3.8 and 4.6 of the Deployment Profiles: http://wiki.oasis-open.org/security/SstcSaml2X509ProfilesDeploy In particular, note the use of <md:AttributeProfile> in IdP metadata and <saml:Attribute> in SP metadata. So it seems the issue of attribute format is covered pretty well by existing specs. As far as I can tell, the OGSA Attribute Exchange Profile requires no additional normative language regarding attribute format. However, it may want to call out the various possibilities as described above. Hope this helps, Tom
participants (3)
-
Richard Sinnott -
Tom Scavo -
Valerio Venturi