Skip to Content.
Sympa Menu

shibboleth-dev - Re: urn:mace:dir:attribute-def

Subject: Shibboleth Developers

List archive

Re: urn:mace:dir:attribute-def


Chronological Thread 
  • From: Keith Hazelton <>
  • To:
  • Cc: 'Shibboleth Users' <>
  • Subject: Re: urn:mace:dir:attribute-def
  • Date: Fri, 19 May 2006 04:52:50 -0500
Alistair Young wrote:
Just perusing the latest eduPerson schema and I was wondering where  "urn:mace:dir:attribute-def" came from. Shibb seems to use this  prefix, or is that just a relic of some previous scenario?
See below.
The  eduPerson spec now says that all eduPerson attributes should be  prefixed with "eduPerson."
That language has been there since the first version, nothing new there.  The eduPerson schema is an LDAP specification, so the names of attributes defined there are for LDAP usage.  When it comes to attribute usage in SAML implementations, including Shibboleth, read on:

Of course, eduPerson is mostly made up of non eduPerson attributes  from other schemata. Do the members of the list have best practice  suggestions for interop when using these attributes?
_____________

 
For Shibboleth usage of eduPerson and other MACE-Dir defined attributes, a new MACE-Dir document lays all this out (thanks to Scott Cantor for the heavy lifting):
 
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200604.pdf
 
For SAML 1.1 operations, Section 2.2.1 explains the urn:mace:dir:attribute-def namespace usage.  Short summary: It is a relic of an earlier approach, kept for backward compatibility.  For any attributes we define in the future, we will use the new convention, based on using the OIDs assigned to each attribute created by MACE-Dir (see section 2.2).
 
As for SAML 2.0, the urn:oid approach mentioned above is used to name attributes along with an optional "friendly name."  From section 3 of the document: "...in the interest of expediency, the X.500/LDAP attribute profile defined in [SAML2Prof] is adopted whenever possible."  The exceptions to this are noted in the document.
 
Hope this helps. 

        --Keith Hazelton
___________________


Should one use urn:mace:dir:attribute-def or eduPerson. ?

thanks,

Alistair 



-- 
________________________________________________________
Keith Hazelton                  Senior IT Architect, UW-Madison
(608) 262-0771                  Division of Info. Technology
(608) 205-2022 (home)           1210 W. Dayton St., rm. 2118A
http://arch.doit.wisc.edu/keith      Madison, WI  53706

Archive powered by MHonArc 2.6.16.

Top of Page