Grouper Users - Open Discussion List

[Keith Hazelton <>]

No attribute-def style name was ever registered for isMemberOf. So the right 
thing to do is to use the urn:oid style name for isMemberOf, even in cases 
where the IdP and SP are running SAML 1.1. 
 
              Regards,   --Keith 
 ______________________________
On 11/21/11, Takeshi NISHIMURA wrote:
> Hi Keith,
> 
> Thank you for the explanation.
> Then, I wonder if isMemberOf is used with SAML 1.1? The page
> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
> does expect the use with SAML 1.1, but I do not know the usage of the name
> urn:mace:dir:attribute-def:isMemberOf
> is allowed (i.e. registered) or not. I want to be sure about it.
> 
> I hope this question makes sense.
> 
> Sincerely,
> Takeshi
> 
> On 2011/11/22, at 11:07, Keith Hazelton wrote:
> 
> > Takeshi,
> > 
> > urn's using attribute-def naming are a legacy of SAML 1.1 days.
> > 
> > For SAML 2, the URN oid namespace is used, so the attribute with the 
> > friendly name "isMemberOf" is represented by 
> > "urn:oid:1.3.6.1.4.1.5923.1.5.1.1" per its definition in "LDAP 
> > representations of membership in groups" 
> > (http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html
> >  )
> > 
> > The applicable SAML 2 document is "Profiles for the OASIS Security 
> > Assertion Markup Language (SAML) V2.0"
> > found at: 
> > https://docs.google.com/viewer?url=http%3A%2F%2Fdocs.oasis-open.org%2Fsecurity%2Fsaml%2Fv2.0%2Fsaml-profiles-2.0-os.pdf
> > 
> > Refer to section 8.2.2 (beginning on page 51):
> > 
> > "8.2.2 SAML Attribute Naming
> > 
> > The NameFormat XML attribute in <Attribute> elements MUST be
> > urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
> > 
> > To construct attribute names, the URN oid namespace described in IETF RFC 
> > 3061 [RFC3061] is used.
> > In this approach the Name XML attribute is based on the OBJECT IDENTIFIER 
> > assigned to the directory
> > attribute type.
> > 
> > Example:
> > 
> > urn:oid:2.5.4.3
> > 
> > Since X.500 procedures require that every attribute type be identified 
> > with a unique OBJECT IDENTIFIER,
> > this naming scheme ensures that the derived SAML attribute names are 
> > unambiguous."
> > 
> > Hope that helps, --Keith Hazelton
> > ___________
> > On Nov 21, 2011, at 7:24 PM, Takeshi NISHIMURA wrote:
> > 
> >> Hi all,
> >> 
> >> Just a quick question.
> >> 
> >> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
> >>> name="urn:mace:dir:attribute-def:isMemberOf" />
> >> 
> >> Is this a registered URN for isMemberOf?
> >> Or where can I confirm it?
> >> 
> >> I couldn't find in:
> >> http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html
> >> 
> >> Best regards,
> >> Takeshi

 
 
begin:vcard
n:HAZELTON;KEITH;;;
fn:KEITH D HAZELTON
tel;work:608 262-0771
org:University of Wisconsin-Madison;DoIT
adr:;;1210 W. Dayton St.;Madison;WI;53706;US
email;work;internet:
title:Sr. IT Architect
version:2.1
end:vcard