Grouper Users - Open Discussion List

[Takeshi NISHIMURA <>]

Thanks a lot, Keith!

Takeshi

On 2011/11/22, at 12:16, Keith Hazelton wrote:

> No attribute-def style name was ever registered for isMemberOf. So the 
> right thing to do is to use the urn:oid style name for isMemberOf, even in 
> cases where the IdP and SP are running SAML 1.1. 
> 
>              Regards,   --Keith 
> ______________________________
> On 11/21/11, Takeshi NISHIMURA wrote:
>> Hi Keith,
>> 
>> Thank you for the explanation.
>> Then, I wonder if isMemberOf is used with SAML 1.1? The page
>> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
>> does expect the use with SAML 1.1, but I do not know the usage of the name
>> urn:mace:dir:attribute-def:isMemberOf
>> is allowed (i.e. registered) or not. I want to be sure about it.
>> 
>> I hope this question makes sense.
>> 
>> Sincerely,
>> Takeshi
>> 
>> On 2011/11/22, at 11:07, Keith Hazelton wrote:
>> 
>>> Takeshi,
>>> 
>>> urn's using attribute-def naming are a legacy of SAML 1.1 days.
>>> 
>>> For SAML 2, the URN oid namespace is used, so the attribute with the 
>>> friendly name "isMemberOf" is represented by 
>>> "urn:oid:1.3.6.1.4.1.5923.1.5.1.1" per its definition in "LDAP 
>>> representations of membership in groups" 
>>> (http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html
>>>  )
>>> 
>>> The applicable SAML 2 document is "Profiles for the OASIS Security 
>>> Assertion Markup Language (SAML) V2.0"
>>> found at: 
>>> https://docs.google.com/viewer?url=http%3A%2F%2Fdocs.oasis-open.org%2Fsecurity%2Fsaml%2Fv2.0%2Fsaml-profiles-2.0-os.pdf
>>> 
>>> Refer to section 8.2.2 (beginning on page 51):
>>> 
>>> "8.2.2 SAML Attribute Naming
>>> 
>>> The NameFormat XML attribute in <Attribute> elements MUST be
>>> urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
>>> 
>>> To construct attribute names, the URN oid namespace described in IETF RFC 
>>> 3061 [RFC3061] is used.
>>> In this approach the Name XML attribute is based on the OBJECT IDENTIFIER 
>>> assigned to the directory
>>> attribute type.
>>> 
>>> Example:
>>> 
>>> urn:oid:2.5.4.3
>>> 
>>> Since X.500 procedures require that every attribute type be identified 
>>> with a unique OBJECT IDENTIFIER,
>>> this naming scheme ensures that the derived SAML attribute names are 
>>> unambiguous."
>>> 
>>> Hope that helps, --Keith Hazelton
>>> ___________
>>> On Nov 21, 2011, at 7:24 PM, Takeshi NISHIMURA wrote:
>>> 
>>>> Hi all,
>>>> 
>>>> Just a quick question.
>>>> 
>>>> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
>>>>> name="urn:mace:dir:attribute-def:isMemberOf" />
>>>> 
>>>> Is this a registered URN for isMemberOf?
>>>> Or where can I confirm it?
>>>> 
>>>> I couldn't find in:
>>>> http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html
>>>> 
>>>> Best regards,
>>>> Takeshi