mace-opensaml-users - RE: SAML attribute question
Subject: OpenSAML user discussion
List archive
- From: "Scott Cantor" <>
- To: "'Dung Huynh'" <>, <>
- Subject: RE: SAML attribute question
- Date: Wed, 6 Apr 2005 22:08:11 -0400
- Organization: The Ohio State University
> I am doing research in the SAML 1.1 specification and run across some
> question in SAML attribute. I hope that some one in the group can help
> to answer.
saml-dev is a good list for SAML questions.
> The <Attribute> element supplies the value for an attribute of an
> assertion subject, and it is an extend of AttributeDesignatorType.
> The AttributeDesignatorType has 2 required field, AttributeName and
> AttributeNamespace.
Yes. AttributeNamespace, however, does not have a well-defined or consistent
meaning and has been used differently by different people. I advise you to
avoid it and use unique names by themselves, thus leaving you able to adapt
to others (mis)using the other field and not stepping on you.
> My question is the following:
>
> 1) is the AttributeNamespace must be
> "http://www.oasis-open.org/RSA2004/attributes" and what are the list of
> attribute names that can be used as AttributeName for
> http://www.oasis-open.org/RSA2004/attributes AttributeNamespace .
Umm, I don't know what the value is, but it means nothing to me or to SAML.
Nor does any other value in that field. It's meaningless unless you make up
a meaning and bake it into your code, which has serious interoperability
implications. Don't use it. Pick a value, stick it in by default, and ignore
it.
> 2) Is it possible to introduce my user-define attribute name ie. "security
> level") and use with http://www.oasis-open.org/RSA2004/attributes
> AttributeNamespace?
I would say no, because I don't imagine you have any control over whoever
made up that string.
-- Scott
- SAML attribute question, Dung Huynh, 04/06/2005
- RE: SAML attribute question, Scott Cantor, 04/06/2005
Archive powered by MHonArc 2.6.16.