Skip to Content.
Sympa Menu

shibboleth-dev - Schema for attribute scoping

Subject: Shibboleth Developers

List archive

Schema for attribute scoping


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Cc: "'Shibboleth Design Team'" <>
  • Subject: Schema for attribute scoping
  • Date: Mon, 4 Feb 2002 17:14:26 -0500
  • Importance: Normal
  • Organization: The Ohio State University
I'm not done experimenting, but I was able to validate this proposal
against SAML with the relatively authoritative XSV validator, though not
with XML Spy. I'll try Xerces soon, since it's the one that counts.

I think I mentioned before that if we want to carry scope anywhere
outside of a string value (ie.

as the actual value), we
have to have an extension schema, like so:

<complexType name="ScopedStringType">
<simpleContent>
<extension base="string">
<attribute name="Scope" type="string"/>
</extension>
</simpleContent>
</complexType>

This base type would allow us to pass a simple string attribute without
any other constraints with a standard Scope XML attribute inside the
<AttributeValue> element. Or we could define new types that further
restrict this type to control what's in the string value.

Unfortunately, you apparently can't derive this from anyType and then
add an attribute (at least I'm not having any luck), so you'd have to
define one of these base types for any of the simple schema types you
wanted to use (ScopedIntegerType, ScopeDatetimeType, etc.) That's bad,
but I'll work on it some more.

Anyway, assuming you left EPPN's value syntax open as just "string", you
could pass it like this:

<Attribute AttributeNamespace="urn:mace:eduPerson"
AttributeName="eduPersonPrincipalName>
<AttributeValue xsi:type="shib:ScopedStringValue"
Scope="subdomain.foo.edu>
foosubguy
</AttributeValue>
</Attribute>

I make absolutely no comment as to the obvious superiority of this
syntax over the obtuse and inefficient


Umm, seriously, there are advantages to all this ugliness, namely the
ability to create base classes in the code to handle lots of similar
things in a uniform way. Most of the attribute acceptance processing can
be value neutral, for example.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--


  • Schema for attribute scoping, Scott Cantor, 02/04/2002

Archive powered by MHonArc 2.6.16.

Top of Page