Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] SAML1 name of isMemberOf

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] SAML1 name of isMemberOf


Chronological Thread 
  • From: Keith Hazelton <>
  • To: Takeshi NISHIMURA <>, Keith Hazelton <>
  • Cc:
  • Subject: Re: [grouper-users] SAML1 name of isMemberOf
  • Date: Mon, 21 Nov 2011 21:16:52 -0600
  • Priority: normal

No attribute-def style name was ever registered for isMemberOf. So the right
thing to do is to use the urn:oid style name for isMemberOf, even in cases
where the IdP and SP are running SAML 1.1.

Regards, --Keith
______________________________
On 11/21/11, Takeshi NISHIMURA wrote:
> Hi Keith,
>
> Thank you for the explanation.
> Then, I wonder if isMemberOf is used with SAML 1.1? The page
> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
> does expect the use with SAML 1.1, but I do not know the usage of the name
> urn:mace:dir:attribute-def:isMemberOf
> is allowed (i.e. registered) or not. I want to be sure about it.
>
> I hope this question makes sense.
>
> Sincerely,
> Takeshi
>
> On 2011/11/22, at 11:07, Keith Hazelton wrote:
>
> > Takeshi,
> >
> > urn's using attribute-def naming are a legacy of SAML 1.1 days.
> >
> > For SAML 2, the URN oid namespace is used, so the attribute with the
> > friendly name "isMemberOf" is represented by
> > "urn:oid:1.3.6.1.4.1.5923.1.5.1.1" per its definition in "LDAP
> > representations of membership in groups"
> > (http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html
> > )
> >
> > The applicable SAML 2 document is "Profiles for the OASIS Security
> > Assertion Markup Language (SAML) V2.0"
> > found at:
> > https://docs.google.com/viewer?url=http%3A%2F%2Fdocs.oasis-open.org%2Fsecurity%2Fsaml%2Fv2.0%2Fsaml-profiles-2.0-os.pdf
> >
> > Refer to section 8.2.2 (beginning on page 51):
> >
> > "8.2.2 SAML Attribute Naming
> >
> > The NameFormat XML attribute in <Attribute> elements MUST be
> > urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
> >
> > To construct attribute names, the URN oid namespace described in IETF RFC
> > 3061 [RFC3061] is used.
> > In this approach the Name XML attribute is based on the OBJECT IDENTIFIER
> > assigned to the directory
> > attribute type.
> >
> > Example:
> >
> > urn:oid:2.5.4.3
> >
> > Since X.500 procedures require that every attribute type be identified
> > with a unique OBJECT IDENTIFIER,
> > this naming scheme ensures that the derived SAML attribute names are
> > unambiguous."
> >
> > Hope that helps, --Keith Hazelton
> > ___________
> > On Nov 21, 2011, at 7:24 PM, Takeshi NISHIMURA wrote:
> >
> >> Hi all,
> >>
> >> Just a quick question.
> >>
> >> https://spaces.internet2.edu/display/Grouper/Exposing+Groups+Through+Shibboleth
> >>> name="urn:mace:dir:attribute-def:isMemberOf" />
> >>
> >> Is this a registered URN for isMemberOf?
> >> Or where can I confirm it?
> >>
> >> I couldn't find in:
> >> http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html
> >>
> >> Best regards,
> >> Takeshi



begin:vcard
n:HAZELTON;KEITH;;;
fn:KEITH D HAZELTON
tel;work:608 262-0771
org:University of Wisconsin-Madison;DoIT
adr:;;1210 W. Dayton St.;Madison;WI;53706;US
email;work;internet:
title:Sr. IT Architect
version:2.1
end:vcard



Archive powered by MHonArc 2.6.16.

Top of Page