Common SAML attribute profile Strawman proposal

This is the strawman proposal for a SAML EMI common attribute profile. This document is structured following the conventiosn suggested by OASIS on SAML attribute profile document structure (more or less).

Required information

Identification: http://dci-sec.org/saml/profile/common-attributes/1.0

Contact information: emi-jra1-sec-saml@eu-emiNOSPAMPLEASE.eu

Description: ...

Updates: ...

SAML Attribute naming

The NameFormat XML attribute in <Attribute> elements MUST be

urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Attribute name comparison

Two <Attribute> elements refer to the same SAML attribute if and only if their Name XML attribute values are equal in the sense of URI matching rules [TODO: insert correct reference here].

Profile specific XML attributes

No additional XML attributes are defined for use with the <Attribute> element.

SAML attribute values

Scoped attribute values

How do we define scoped attribute values? One proposal is to define the attribute value as a URI with the scope being the fragment part. One example, taken from the Chemomentum profile:

<AttributeValue xsi:type="xs:anyUri">group://example.org/TestVO/Sailors#Cook</AttributeValue>

This approach limits us to only use URI as attribute values (which IMHO is unnecessary).

Another possibility is to decople the scope from the URI attribute value and define it either as an attribute or an additional element in the attribute value. Two examples below:


<!-- Namespaces omitted for readability -->

<!-- In this example the scope is defined as additional attribute -->
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role">
   <AttributeValue xsi:type="xs:string" emi:group="production">software-manager</AttributeValue>
</Attribute>

<!-- In this example the scope is defined as an additional element in the attribute value -->
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role">
   <AttributeValue xsi:type="emi:scoped-role">
     <role xsi:type="xs:string">software-manager</role>
     <group xsi:type="xs:string">production</group>
   </AttributeValue>
</Attribute>

I would tailor the scope definition to the specific attribute being defined, instead of coming up with something generic that may not fit with all definitions. My opinion is that we should put structure in the XML definition (for the new types) instead of putting it in the attribute values and use simple types (i.e., xs:string) as much as possible.

Attribute definitions

Virtual organization (VO)

This single-valued attribute represents the SAML assertion subject's virtual organization membership.

Name: http://dci-sec.org/saml/attribute/virtual-organization

The <AttributeValue> element contains a string defining the name of the VO the subject is member of.

Example:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/virtual-organization">
   <AttributeValue xsi:type="xs:string">atlas</AttributeValue>
</Attribute>

Groups

This multi-valued attribute represents the SAML assertion subject's VO group membership.

Name: http://dci-sec.org/saml/attribute/group

Each <AttributeValue> element contains a string defining the name of the group the subject is member of.

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/group">
   <AttributeValue xsi:type="xs:string">production</AttributeValue>
   <AttributeValue xsi:type="xs:string">analysis</AttributeValue>
   <AttributeValue xsi:type="xs:string">higgs</AttributeValue>
   <AttributeValue xsi:type="xs:string">test</AttributeValue>
</Attribute>

Roles

This multi-valued attribute represents the roles assigned to the subject.

Name: http://dci-sec.org/saml/attribute/role

Each <AttributeValue> element contains a scoped attribute defining the name of the role and its (optional) scope.

In the example below I use the attributed base scope syntax defined before:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role">
   <AttributeValue xsi:type="xs:string" emi:group="italy">coordinator</AttributeValue>
   <!-- below an example of unscoped role attribute -->
   <AttributeValue xsi:type="xs:string">Software-Manager</AttributeValue>
</Attribute>

Primary VO membership attribute

This single-valued attribute represents the default membership attribute assigned to the subject

Name: http://dci-sec.org/saml/attribute/primary

The <AttributeValue> contains either a string that refers to either a group or role which is part of the groups or roles attributes defined above. A emi:attribute-type attribute could be used to distinguish among roles and groups and other stuff (however I would love a cleaner solution that does not come to mind right now).

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/primary">
   <AttributeValue xsi:type="xs:string">WorldDominator</AttributeValue>
</Attribute>

VOMS FQAN

This multi-valued attribute represents the list of VOMS FQANs assigned to the subject.

Name: http://dci-sec.org/saml/attribute/fqan

Example:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/fqan">
  <AttributeValue xsi:type="emi:fqan">/dteam/italy/Role=VO-Admin</AttributeValue>
  <AttributeValue xsi:type="emi:fqan">/dteam</AttributeValue>
  <AttributeValue xsi:type="emi:fqan">/dteam/italy</AttributeValue>
</Attribute>

VOMS primary FQAN

This single-valued attribute represents the primary VOMS FQAN assigned to the subject.

Name: http://dci-sec.org/saml/attribute/fqan/primary

Example:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/fqan/primary">
  <AttributeValue xsi:type="emi:fqan">/dteam/italy/Role=VO-Admin</AttributeValue>
</Attribute>

VOMS generic attribute

This multi-valued attribute represents the list of VOMS generic attributes assigned to the subject.

Name: http://dci-sec.org/saml/attribute/voms-ga

Example:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/voms-ga">
 <AttributeValue xsi:type="emi:voms-generic-attribute">
      <name xsi:type="xs:string">nickname</name>
      <value xsi:type="xs:string">andrea</value>
      <scope xsi:type="emi:fqan">/atlas/production</scope>
   </AttributeValue>
  <AttributeValue xsi:type="emi:voms-generic-attribute">
      <name xsi:type="xs:string">telephone-number</name>
      <value xsi:type="xs:string">+39 051 111111</value>
   </AttributeValue>
</Attribute>

-- AndreaCeccanti - 12-Oct-2010

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2010-10-12 - AndreaCeccantiExCern
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback