Versions Compared

Old Version 11

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 12

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attribute Names and Shibboleth

Shibboleth relies on consistent attribute naming to deliver information about browser users in a mutually understood way between the IdP and SP. Every attribute which has a definition and semantics that differ from others must have its own unique representation in a SAML attribute statement to ensure that there are no misinterpretations or communication failures. This name must be expected and handled by relying parties. Values, vocabularies, and their meaning should be discussed as well, but are outside the scope of this document.

...

Anchor
SamlNaming
SamlNaming

SAML Naming Conventions

It's recommended that URIs be used for attribute naming in SAML 2.0 attribute statements because of the uniqueness and namespace control they provide. The URI-based name of an attribute is expressed as the Name in the following example:

...

The following steps should be followed when naming a new attribute:

  1. Is this attribute standardized or defined by any organization which has already assigned it a unique identifier? If so, it should be used if at all possible.

  2. If the attribute is defined through an LDAP object class, there is probably already an OID assigned. When possible, leverage the existing urn:oid namespace.

  3. If no suitable name yet exists for this attribute, consider creating one preferably through constructing a proper URL, or if necessary using a delegated urn:mace namespace.

Anchor
UrlNaming
UrlNaming

URL Naming

The most favored way of naming a SAML attribute is through URL naming. The creation and meaning of URLs is generally well understood by many people, and the DNS namespace is already extremely structured. Define new URLs only in namespaces you control and do your part to prevent attribute proliferation.

To create a URL name for an attribute, design a URL to be used as the identifier. If this attribute will be shared by a community, consider a URL that is common, e.g. https://supervillain.edu/attributes/evilPersonUniqueID for a campus-wide identifier.

URL attribute names may even be resolvable into documentation, providing helpful information for unwitting relying parties.

Anchor
UrnOID
UrnOID

urn:oid

Section 8.2 of the SAML 2.0 Profiles suggests that LDAP attributes name themselves by utilizing the urn:oid namespace. These names are simply constructed using urn:oid followed by a standard OID. For example, inetOrgPerson's displayName attribute should be expressed as urn:oid:2.16.840.1.113730.3.1.241.

Anchor
UrnMACE
UrnMACE

urn:mace

The urn:mace namespace is a controlled namespace that is registered with the IETF and IANA for MACE working groups and organizations it works with. The namespace is intended to be delegated to individual organizations through registration with MACE. Once a subspace of urn:mace has been delegated to another organization(e.g. urn:mace:switch.ch that organization is responsible for any naming and resolution within that subspace. However, it's not permissible to arbitrarily define new attributes within the urn:mace namespace, or in any subtree you have not been granted.

...