Grouper Users - Open Discussion List

[Keith Hazelton <>]

Takeshi,

urn's using attribute-def naming are a legacy of SAML 1.1 days.

For SAML 2, the URN oid namespace is used, so the attribute with the friendly name "isMemberOf" is represented by "urn:oid:1.3.6.1.4.1.5923.1.5.1.1" per its definition in "LDAP representations of membership in groups" (http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html )

The applicable SAML 2 document is "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0"

found at: https://docs.google.com/viewer?url="http%3A%2F%2Fdocs.oasis-open.org%2Fsecurity%2Fsaml%2Fv2.0%2Fsaml-profiles-2.0-os.pdf

Refer to section 8.2.2 (beginning on page 51):

"8.2.2 SAML Attribute Naming

The NameFormat XML attribute in <Attribute> elements MUST be

urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

To construct attribute names, the URN oid namespace described in IETF RFC 3061 [RFC3061] is used.

In this approach the Name XML attribute is based on the OBJECT IDENTIFIER assigned to the directory

attribute type.

Example:

urn:oid:2.5.4.3

Since X.500 procedures require that every attribute type be identified with a unique OBJECT IDENTIFIER,

this naming scheme ensures that the derived SAML attribute names are unambiguous."

          Hope that helps,  --Keith Hazelton

___________

On Nov 21, 2011, at 7:24 PM, Takeshi NISHIMURA wrote:

Hi all,

Just a quick question.

https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth

          name="urn:mace:dir:attribute-def:isMemberOf" />

Is this a registered URN for isMemberOf?
Or where can I confirm it?

I couldn't find in:
http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html

Best regards,
Takeshi