Versions Compared

Old Version 6

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 7

changes.mady.by.user peter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update links, DN syntax OID != attribute name

...

Much of the power of federated authentication is derived from the economies of scale accomplished by large numbers of providers speaking a lingua franca. Attributes are the language in which access control and release policies are written and are the piece of the infrastructure for which avoiding unnecessary proliferation of names is most important. Standards bodies have traditionally defined common attribute names and semantics(e.g. X.520, eduPerson, etc.) for LDAP and other information repositories. Some of these now define XML representations as well. Federations also can serve as locuses for attribute convergence.

The names for attributes in back-end data stores and consuming applications is decoupled from the expression of attributes on the wire. This allows for arbitrary local naming as long as the SAML expression is common. The mapping from data stores to SAML representations at the identity provider is mainly performed using attribute-resolver.xml. These SAML representations are then made available to the web server and web applications in raw XML or through mappings performed using attribute-map.xml files.

...

It's recommended that URIs be used for attribute naming in SAML 2.0 attribute statements because of the uniqueness and namespace control they provide. The URI-based name of an attribute is expressed as the Name in the following example:

Code Block

<Attribute
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
    Name="urn:oid:2.5.4.42"
    FriendlyName="givenName">
   <AttributeValue>Scott</AttributeValue>
</Attribute>

...

To create a URL name for an attribute, design a URL to be used as the identifier. If this attribute will be shared by a community, consider a URL that is common, e.g. https://supervillain.edu/attributes/evilPersonUniqueID for a campus-wide identifier.

...

Section 8.2 of the SAML 2.0 Profiles suggests that LDAP attributes name themselves by utilizing the urn:oid namespace. These names are simply constructed using urn:oid followed by a standard OID. For example, DN should inetOrgPerson's displayName attribute should be expressed as urn:oid:12.316.6840.1.4113730.1.1466.115.121.3.1.12241.

Anchor
UrnMACE
UrnMACE

urn:mace

The urn:mace namespace is a controlled namespace that is registered with the IETF and IANA for MACE working groups and organizations it works with. The namespace is intended to be delegated to individual organizations through registration with MACE. Once a subspace of urn:mace has been delegated to another organization(e.g. urn:mace:switch.ch that organization is responsible for any naming and resolution within that subspace. However, it's not permissible to arbitrarily define new attributes within the urn:mace namespace, or in any subtree you have not been granted.

Use this form to request a urn:mace namespace.