Skip to Content.
Sympa Menu

shibboleth-dev - Re: A Binary Attribute

Subject: Shibboleth Developers

List archive

Re: A Binary Attribute


Chronological Thread 
  • From: "RL 'Bob' Morgan" <>
  • To: Zhi Qing Wu <>
  • Cc:
  • Subject: Re: A Binary Attribute
  • Date: Fri, 1 Oct 2004 08:26:41 -0700 (PDT)


Question: is transmitting binary record (such as an attribute certificate) supported by SAML in shibboleth? If yes, how to change the configuration to send the binary record from AA to Shar?

I'll defer to Walter and Scott on what the code actually does, but I'm pretty sure that all the existing attribute-handling only supports UTF-8 string values, not binary. There is no existing profile for handling X.509 certificates as attributes in Shibboleth (or in SAML 1.1, which defines no specific attribute usage at all). In SAML 2.0 there is a profile defined for handling arbitrary X.500/LDAP attributes, which says that for those whose LDAP encoding is not a UTF-8 string, the binary value is base64-encoded for transmission (as the content of the AttributeValue element). So I suggest that this is the approach to follow, and I think it would be up to you to code support for base64-ing this value in the AA, and decoding it at the Shib SP.

I'll note also that the SAML 2.0 X.500/LDAP profile specifies that attributes are named using urn:oid: -based names. So in cases such as this where we're adding the handling of new attributes in Shib, we will have to consider whether to continue following our existing convention of giving them MACE-defined names (urn:mace:dir:attribute-def:...) or to use this new approach. In this case I'd say we should use the urn:oid: name.

- RL "Bob"




Archive powered by MHonArc 2.6.16.

Top of Page