OpenSAML user discussion

["Scott Cantor" <>]

> I am doing research in the SAML 1.1 specification and run across some 
> question in SAML attribute.  I hope that  some one in the group can help
> to answer.

saml-dev is a good list for SAML questions.

> The <Attribute> element supplies the value for an attribute of an
> assertion subject, and it is an extend of AttributeDesignatorType.
> The AttributeDesignatorType has 2 required field, AttributeName and 
> AttributeNamespace.

Yes. AttributeNamespace, however, does not have a well-defined or consistent
meaning and has been used differently by different people. I advise you to
avoid it and use unique names by themselves, thus leaving you able to adapt
to others (mis)using the other field and not stepping on you.

> My question is the following:
> 
> 1) is the AttributeNamespace must be 
> "http://www.oasis-open.org/RSA2004/attributes"; and what are the list of 
> attribute names that can be used as AttributeName for 
> http://www.oasis-open.org/RSA2004/attributes AttributeNamespace .

Umm, I don't know what the value is, but it means nothing to me or to SAML.
Nor does any other value in that field. It's meaningless unless you make up
a meaning and bake it into your code, which has serious interoperability
implications. Don't use it. Pick a value, stick it in by default, and ignore
it.

> 2) Is it possible to introduce my user-define attribute name ie. "security

> level") and use with  http://www.oasis-open.org/RSA2004/attributes 
> AttributeNamespace?

I would say no, because I don't imagine you have any control over whoever
made up that string.

-- Scott