grouper-users - Re: [grouper-users] SAML1 name of isMemberOf
Subject: Grouper Users - Open Discussion List
List archive
- From: Takeshi NISHIMURA <>
- To: Keith Hazelton <>
- Cc:
- Subject: Re: [grouper-users] SAML1 name of isMemberOf
- Date: Tue, 22 Nov 2011 11:40:05 +0900
Hi Keith,
Thank you for the explanation.
Then, I wonder if isMemberOf is used with SAML 1.1? The page
https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
does expect the use with SAML 1.1, but I do not know the usage of the name
urn:mace:dir:attribute-def:isMemberOf
is allowed (i.e. registered) or not. I want to be sure about it.
I hope this question makes sense.
Sincerely,
Takeshi
On 2011/11/22, at 11:07, Keith Hazelton wrote:
> Takeshi,
>
> urn's using attribute-def naming are a legacy of SAML 1.1 days.
>
> For SAML 2, the URN oid namespace is used, so the attribute with the
> friendly name "isMemberOf" is represented by
> "urn:oid:1.3.6.1.4.1.5923.1.5.1.1" per its definition in "LDAP
> representations of membership in groups"
> (http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html
> )
>
> The applicable SAML 2 document is "Profiles for the OASIS Security
> Assertion Markup Language (SAML) V2.0"
> found at:
> https://docs.google.com/viewer?url=http%3A%2F%2Fdocs.oasis-open.org%2Fsecurity%2Fsaml%2Fv2.0%2Fsaml-profiles-2.0-os.pdf
>
> Refer to section 8.2.2 (beginning on page 51):
>
> "8.2.2 SAML Attribute Naming
>
> The NameFormat XML attribute in <Attribute> elements MUST be
> urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
>
> To construct attribute names, the URN oid namespace described in IETF RFC
> 3061 [RFC3061] is used.
> In this approach the Name XML attribute is based on the OBJECT IDENTIFIER
> assigned to the directory
> attribute type.
>
> Example:
>
> urn:oid:2.5.4.3
>
> Since X.500 procedures require that every attribute type be identified with
> a unique OBJECT IDENTIFIER,
> this naming scheme ensures that the derived SAML attribute names are
> unambiguous."
>
> Hope that helps, --Keith Hazelton
> ___________
> On Nov 21, 2011, at 7:24 PM, Takeshi NISHIMURA wrote:
>
>> Hi all,
>>
>> Just a quick question.
>>
>> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
>>> name="urn:mace:dir:attribute-def:isMemberOf" />
>>
>> Is this a registered URN for isMemberOf?
>> Or where can I confirm it?
>>
>> I couldn't find in:
>> http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html
>>
>> Best regards,
>> Takeshi
- [grouper-users] SAML1 name of isMemberOf, Takeshi NISHIMURA, 11/21/2011
- Re: [grouper-users] SAML1 name of isMemberOf, Keith Hazelton, 11/21/2011
- Re: [grouper-users] SAML1 name of isMemberOf, Takeshi NISHIMURA, 11/21/2011
- Message not available
- Message not available
- Message not available
- Re: [grouper-users] SAML1 name of isMemberOf, Keith Hazelton, 11/21/2011
- Re: [grouper-users] SAML1 name of isMemberOf, Takeshi NISHIMURA, 11/21/2011
- Re: [grouper-users] SAML1 name of isMemberOf, Keith Hazelton, 11/21/2011
- Message not available
- Message not available
- Re: [grouper-users] SAML1 name of isMemberOf, Tom Barton, 11/22/2011
- Re: [grouper-users] SAML1 name of isMemberOf, Takeshi NISHIMURA, 11/22/2011
- Message not available
- Re: [grouper-users] SAML1 name of isMemberOf, Takeshi NISHIMURA, 11/21/2011
- Re: [grouper-users] SAML1 name of isMemberOf, Keith Hazelton, 11/21/2011
Archive powered by MHonArc 2.6.16.