shibboleth-dev - Re: SAML 1 Default Attribute namespace
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: SAML 1 Default Attribute namespace
- Date: Wed, 21 Mar 2007 10:01:57 -0400
- Organization: University Information Systems
Alright, apparently this requires further explanation.
Different protocols have different ways of representing the "name" of an attribute and may have different values for those components. It happens to be the case that both SAML 1 and SAML 2 define two-part attribute names but they are not the same two parts. Other protocols may define attribute in pretty much any way imaginable (and then some). Therefore Shib has a protocol agnostic data structure that represents attributes.
These attributes are identified by a unique ID which is used within the resolver and filter engine. As the attributes are being prepared to be written out to the wire, for a specific protocol, they are encoded and it's only after this encoding process that attributes take on a name facet. The attribute IDs, used up to that point, are almost certainly simple strings that meaningful to the deployer.
So, the case we are talking about occurs when a resolver configuration defines an attribute (via an attribute definition), the filter policy says the attribute is okay to release to the relying party, but the deployer has provided *no* information into the encoding process to SAML 1. Using the attribute ID as the first part of the attribute name (the Attribute[@AttribtueName]) seems pretty reasonable. The question is what do we use for the second part (Attribute[@AttributeNamespace]). The current Shibboleth URI namespace is defined to mean that the attribute name will be a URI and people are almost certainly not going to define their attribute IDs like that so this namespace does not apply and SAML 1 does not provide an equivalent to the SAML 2 "unspecified" option.
So, we have to have something, per the spec. We can't use the current one, in this particular case, because it carries with it semantics that are not guaranteed to be (and almost certainly are not) true.
Tom Scavo wrote:
On 3/20/07, Chad La Joie
<>
wrote:
However, we'd like some guidance on what namespace to use. The current
one, urn:mace:shibboleth:1.0:attributeNamespace:uri, is defined, amongst
other things, to indicate that the attribute name is a URI.
I would think you would want to preserve the above URI for wire
compatibility with Shib 1.x, correct?
Tom
--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124
- SAML 1 Default Attribute namespace, Chad La Joie, 03/20/2007
- RE: SAML 1 Default Attribute namespace, Scott Cantor, 03/20/2007
- Re: SAML 1 Default Attribute namespace, Tom Scavo, 03/21/2007
- Re: SAML 1 Default Attribute namespace, Chad La Joie, 03/21/2007
- Re: SAML 1 Default Attribute namespace, Tom Scavo, 03/21/2007
- RE: SAML 1 Default Attribute namespace, Scott Cantor, 03/21/2007
- Re: SAML 1 Default Attribute namespace, Tom Scavo, 03/21/2007
- Re: SAML 1 Default Attribute namespace, Chad La Joie, 03/21/2007
- Re: SAML 1 Default Attribute namespace, Chad La Joie, 03/22/2007
Archive powered by MHonArc 2.6.16.