Skip to Content.
Sympa Menu

mace-opensaml-users - RE: SAML attribute question

Subject: OpenSAML user discussion

List archive

RE: SAML attribute question


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Dung Huynh'" <>, <>
  • Subject: RE: SAML attribute question
  • Date: Wed, 6 Apr 2005 22:08:11 -0400
  • Organization: The Ohio State University

> I am doing research in the SAML 1.1 specification and run across some
> question in SAML attribute. I hope that some one in the group can help
> to answer.

saml-dev is a good list for SAML questions.

> The <Attribute> element supplies the value for an attribute of an
> assertion subject, and it is an extend of AttributeDesignatorType.
> The AttributeDesignatorType has 2 required field, AttributeName and
> AttributeNamespace.

Yes. AttributeNamespace, however, does not have a well-defined or consistent
meaning and has been used differently by different people. I advise you to
avoid it and use unique names by themselves, thus leaving you able to adapt
to others (mis)using the other field and not stepping on you.

> My question is the following:
>
> 1) is the AttributeNamespace must be
> "http://www.oasis-open.org/RSA2004/attributes"; and what are the list of
> attribute names that can be used as AttributeName for
> http://www.oasis-open.org/RSA2004/attributes AttributeNamespace .

Umm, I don't know what the value is, but it means nothing to me or to SAML.
Nor does any other value in that field. It's meaningless unless you make up
a meaning and bake it into your code, which has serious interoperability
implications. Don't use it. Pick a value, stick it in by default, and ignore
it.

> 2) Is it possible to introduce my user-define attribute name ie. "security

> level") and use with http://www.oasis-open.org/RSA2004/attributes
> AttributeNamespace?

I would say no, because I don't imagine you have any control over whoever
made up that string.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page