TWiki>
EMI Web>EmiProjectStructure>JRA1>EmiJra1>EmiJra1T4Security>EmiJra1T4SAML>CommonSAMLProfileV102 (2011-12-01, unknown)
EditAttachPDF
EMI Web>EmiProjectStructure>JRA1>EmiJra1>EmiJra1T4Security>EmiJra1T4SAML>CommonSAMLProfileV102 (2011-12-01, unknown) EditAttachPDFCommon Virtual Organization Attribute Profile version 1.0
The EMI Common VO attribute profile defines the representation of VO membership attributes as SAML attributes.Required information
Identification:http://dci-sec.org/saml/profile/virtual-organization/1.0
Contact information: emi-jra1-sec-saml@eu-emiNOSPAMPLEASE.eu
Description: Given below.
Updates: None.
SAML Attribute naming
TheNameFormat XML attribute in <Attribute> elements MUST be
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
Attribute name comparison
Two<Attribute> elements refer to the same SAML attribute if and only if their Name XML
attribute values are equal in the sense of URI matching rules (RFC 3986
).
Profile specific XML attributes
No additional XML attributes are defined for use with the<Attribute> element.
Profile specific XML data types
The following XML schema types are used in this profile
<?xml version="1.0" encoding="UTF-8"?>
<schema
xmlns="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://dci-sec.org/saml/profile/virtual-organization/1.0"
xmlns:dci-sec="http://dci-sec.org/saml/profile/virtual-organization/1.0"
elementFormDefault="qualified">
<annotation>
<documentation></documentation>
</annotation>
<attribute name="scope" type="string"/>
<complexType name="role">
<simpleContent>
<extension base="string">
<attribute ref="dci-sec:scope" use="required"/>
</extension>
</simpleContent>
</complexType>
</schema>
Attribute definitions
Virtual organization (VO)
This multi-valued attribute represents the SAML assertion subject's virtual organization membership. Name: http://dci-sec.org/saml/attribute/virtual-organization
The <AttributeValue> elements (of type xsd:string) define the name of the VO the subject is member of.
Example:
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/virtual-organization"> <AttributeValue xsi:type="xsd:string">atlas</AttributeValue> <AttributeValue xsi:type="xsd:string">example.vo.org</AttributeValue> </Attribute>Constraints:
- The VO attribute value MUST repect the following grammar:
voname ::= [a-zA-Z0-9][a-zA-Z0-9_.-]*
Groups
This multi-valued attribute represents the SAML assertion subject's VO group membership. Name: http://dci-sec.org/saml/attribute/group
The <AttributeValue> elements (of type xsd:string) define the VO groups the subject is member of.
Example:
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/group"> <AttributeValue xsi:type="xsd:string">/atlas</AttributeValue> <AttributeValue xsi:type="xsd:string">/atlas/it</AttributeValue> </Attribute>Constraints:
- Each group attribute value MUST respect the following grammar:
group ::= '/' groupname | group '/' groupname
groupname :: = [a-zA-Z0-9][a-zA-Z0-9_.-]*
- The first path element of each group must be equal to the VO name, i.e., if the VO name is
atlaseach group must start with the path/atlas.
Primary group
This single-valued attribute represents the SAML assertion subject's primary group membership. Name: http://dci-sec.org/saml/attribute/group/primary
The <AttributeValue> element (of type xsd:string) defines the primary group for the subject.
Constraints:
- The value expressed by this attribute MUST also appear in the
http://dci-sec.org/saml/attribute/groupattribute included in the SAML assertion. - All the constraints defined for the
http://dci-sec.org/saml/attribute/groupattribute are to valid also for this attribute.
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/group/primary"> <AttributeValue xsi:type="xsd:string">/atlas/it</AttributeValue> </Attribute>
Roles
This multi-valued attribute represents the roles assigned to the subject. Name: http://dci-sec.org/saml/attribute/role
The <AttributeValue> elements (of type dci-sec:role) define the roles the subject is member of.
Constraints:
- Each role attribute value MUST respect the following grammar:
rolename ::= [a-zA-Z0-9][a-zA-Z0-9_.-]*
- The value of the
dci-sec:scopeattribute must respect the grammar defined for group names, i.e.:
group ::= '/' groupname | group '/' groupname
groupname :: = [a-zA-Z0-9][a-zA-Z0-9_.-]*
- The group pointed by the
dci-sec:scopeattribute must appear in thehttp://dci-sec.org/saml/attribute/groupattribute included in the SAML assertion.
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role"> <AttributeValue xsi:type="dci-sec:role" dci-sec:scope="/atlas/it">lcgadmin</AttributeValue> </Attribute>
Primary role
This single-valued attribute represents the SAML assertion subject's primary role membership. Name: http://dci-sec.org/saml/attribute/role/primary
The <AttributeValue> element (of type dci-sec:role) defines the primary role for the subject.
Constraints: - All the constraints specfied for the
http://dci-sec.org/saml/attribute/roleattribute values apply to this attribute. - The value expressed by this attribute MUST also appear in the
http://dci-sec.org/saml/attribute/roleattribute included in the SAML assertion.
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role/primary">
<AttributeValue
xsi:type="dci-sec:role"
dci-sec:scope="/atlas/it">lcgadmin</AttributeValue>
</Attribute>
-- AndreaCeccanti - 01-Dec-2011 Edit | Attach | 
EMI Web
News
Events
Procedures and Tools
Mailing Lists
Documents
Project Structure
Create New Topic
Index
Search
Changes
Statistics
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback