Common SAML attribute profile phone meeting 09.28.2010

Attendees: Andrea Ceccanti, Aleksander Konstantinov, Valery Tschopp,Krzysztof Benedyczak, Ali Gholami

Short report

Characterisation of SAML usage in existing middleware

  • No production use of SAML for gLite and ARC.
  • SAML assertions used in UNICORE to carry VO membership attributes that are used for authorization purposes.

Common SAML attribute profile

Chemomentum VO SAML profile is a good starting point but:

  • Attribute value syntax quite complex, maybe we can come up with something simpler.
  • Does not cover the concept of primary attribute (crucial for existing infrastructure)


  • Simple mapping of SAML to XACML attributes conforming to the XACML attribute profile rules defined in section 8.5 of SAML profiles document and SAML 2.0 profile of XACML 2.0.
  • Definition of scoped attribute values (roles scoped in groups, voms-ga scoped in voms-fqans etc...)
  • Definition of VO membership attribute
  • Definition of VO group membership attribute
  • Definition of VO role posession attribute
  • Support for VOMS fqans (bag of fqans + primary fqan)
  • Support for VOMS generic attributes

Starting from this requirements here is the link to a strawman proposal on which we can base further discussions:

-- AndreaCeccanti - 28-Sep-2010

Topic attachments
I Attachment HistorySorted ascending Action Size Date Who Comment
Unknown file formatodt VO-SAML-profile-C9mAndOMII.odt r1 manage 54.6 K 2010-10-12 - 15:50 UnknownUser Chemomentum VO SAML profile

This topic: EMI > WebHome > EmiProjectStructure > JRA1 > EmiJra1 > EmiJra1T4Security > EmiJra1T4SAML > SAMLMeeting092810
Topic revision: r4 - 2010-10-12 - unknown
This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback