Grouper Users - Open Discussion List

[Tom Barton <>]

Takeshi,

I think you've spotted a problem with ldappcng's default config. Grouper
should use the specified value as Keith described, which is registered,
and supply a friendlyname of isMemberOf.

TomZ, can you add a jira for that? Are there any implications to making
this change?

Thanks,
Tom

On 11/21/2011 8:40 PM, Takeshi NISHIMURA wrote:
> Hi Keith,
>
> Thank you for the explanation.
> Then, I wonder if isMemberOf is used with SAML 1.1? The page
> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
> does expect the use with SAML 1.1, but I do not know the usage of the name
>       urn:mace:dir:attribute-def:isMemberOf
> is allowed (i.e. registered) or not. I want to be sure about it.
>
> I hope this question makes sense.
>
> Sincerely,
> Takeshi
>
> On 2011/11/22, at 11:07, Keith Hazelton wrote:
>
>> Takeshi,
>>
>> urn's using attribute-def naming are a legacy of SAML 1.1 days.
>>
>> For SAML 2, the URN oid namespace is used, so the attribute with the 
>> friendly name "isMemberOf" is represented by 
>> "urn:oid:1.3.6.1.4.1.5923.1.5.1.1" per its definition in "LDAP 
>> representations of membership in groups" 
>> (http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html
>>  )
>>
>> The applicable SAML 2 document is "Profiles for the OASIS Security 
>> Assertion Markup Language (SAML) V2.0"
>> found at: 
>> https://docs.google.com/viewer?url=http%3A%2F%2Fdocs.oasis-open.org%2Fsecurity%2Fsaml%2Fv2.0%2Fsaml-profiles-2.0-os.pdf
>>
>> Refer to section 8.2.2 (beginning on page 51):
>>
>> "8.2.2 SAML Attribute Naming
>>
>> The NameFormat XML attribute in <Attribute> elements MUST be
>> urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
>>
>> To construct attribute names, the URN oid namespace described in IETF RFC 
>> 3061 [RFC3061] is used.
>> In this approach the Name XML attribute is based on the OBJECT IDENTIFIER 
>> assigned to the directory
>> attribute type.
>>
>> Example:
>>
>> urn:oid:2.5.4.3
>>
>> Since X.500 procedures require that every attribute type be identified 
>> with a unique OBJECT IDENTIFIER,
>> this naming scheme ensures that the derived SAML attribute names are 
>> unambiguous."
>>
>>           Hope that helps,  --Keith Hazelton
>> ___________
>> On Nov 21, 2011, at 7:24 PM, Takeshi NISHIMURA wrote:
>>
>>> Hi all,
>>>
>>> Just a quick question.
>>>
>>> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
>>>>           name="urn:mace:dir:attribute-def:isMemberOf" />
>>> Is this a registered URN for isMemberOf?
>>> Or where can I confirm it?
>>>
>>> I couldn't find in:
>>> http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html
>>>
>>> Best regards,
>>> Takeshi