Common SAML attribute profile Strawman proposal
This is the strawman proposal for a SAML EMI common attribute profile. This document is structured following the conventiosn suggested by OASIS on SAML attribute profile document structure (more or less).
Required information
Identification:
http://dci-sec.org/saml/profile/common-attributes/1.0
Contact information:
emi-jra1-sec-saml@eu-emiNOSPAMPLEASE.eu
Description: ...
Updates: ...
SAML Attribute naming
The
NameFormat
XML attribute in
<Attribute>
elements MUST be
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
Attribute name comparison
Two
<Attribute>
elements refer to the same SAML attribute if and only if their
Name
XML
attribute values are equal in the sense of URI matching rules [TODO: insert correct reference here].
Profile specific XML attributes
No additional XML attributes are defined for use with the
<Attribute>
element.
SAML attribute values
Scoped attribute values
How do we define scoped attribute values?
One proposal is to define the attribute value as a URI with the scope being the fragment part. One example,
taken from the Chemomentum profile:
<AttributeValue xsi:type="xs:anyUri">group://example.org/TestVO/Sailors#Cook</AttributeValue>
This approach limits us to only use URI as attribute values (which IMHO is unnecessary).
Another possibility is to decople the scope from the URI attribute value and define it either as an attribute or an additional element in the attribute value.
Two examples below:
<!-- Namespaces omitted for readability -->
<!-- In this example the scope is defined as additional attribute -->
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role">
<AttributeValue xsi:type="xs:string" emi:group="production">software-manager</AttributeValue>
</Attribute>
<!-- In this example the scope is defined as an additional element in the attribute value -->
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role">
<AttributeValue xsi:type="emi:scoped-role">
<role xsi:type="xs:string">software-manager</role>
<group xsi:type="xs:string">production</group>
</AttributeValue>
</Attribute>
I would tailor the scope definition to the specific attribute being defined, instead of coming up with something generic
that may not fit with all definitions. My opinion is that we should put structure in the XML definition (for the new types)
instead of putting it in the attribute values and use simple types (i.e., xs:string) as much as possible.
Attribute definitions
Virtual organization (VO)
This single-valued attribute represents the SAML assertion subject's virtual organization membership.
Name:
http://dci-sec.org/saml/attribute/virtual-organization
The
<AttributeValue>
element contains a string defining the name of the VO the subject is member of.
Example:
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/virtual-organization">
<AttributeValue xsi:type="xs:string">atlas</AttributeValue>
</Attribute>
Groups
This multi-valued attribute represents the SAML assertion subject's VO group membership.
Name:
http://dci-sec.org/saml/attribute/group
Each
<AttributeValue>
element contains a string defining the name of the group the subject is member of.
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/group">
<AttributeValue xsi:type="xs:string">production</AttributeValue>
<AttributeValue xsi:type="xs:string">analysis</AttributeValue>
<AttributeValue xsi:type="xs:string">higgs</AttributeValue>
<AttributeValue xsi:type="xs:string">test</AttributeValue>
</Attribute>
Roles
This multi-valued attribute represents the roles assigned to the subject.
Name:
http://dci-sec.org/saml/attribute/role
Each
<AttributeValue>
element contains a scoped attribute defining the name of the role and its (optional) scope.
In the example below I use the attributed base scope syntax defined before:
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role">
<AttributeValue xsi:type="xs:string" emi:group="italy">coordinator</AttributeValue>
<!-- below an example of unscoped role attribute -->
<AttributeValue xsi:type="xs:string">Software-Manager</AttributeValue>
</Attribute>
Primary VO membership attribute
This single-valued attribute represents the default membership attribute assigned to the subject
Name:
http://dci-sec.org/saml/attribute/primary
The
<AttributeValue>
contains either a string that refers to either a group or role which is part
of the groups or roles attributes defined above. A
emi:attribute-type
attribute could be used to
distinguish among roles and groups and other stuff (however I would love a cleaner solution that does not
come to mind right now).
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/primary">
<AttributeValue xsi:type="xs:string">WorldDominator</AttributeValue>
</Attribute>
VOMS FQAN
This multi-valued attribute represents the list of VOMS FQANs assigned to the subject.
Name:
http://dci-sec.org/saml/attribute/fqan
Example:
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/fqan">
<AttributeValue xsi:type="emi:fqan">/dteam/italy/Role=VO-Admin</AttributeValue>
<AttributeValue xsi:type="emi:fqan">/dteam</AttributeValue>
<AttributeValue xsi:type="emi:fqan">/dteam/italy</AttributeValue>
</Attribute>
VOMS primary FQAN
This single-valued attribute represents the primary VOMS FQAN assigned to the subject.
Name:
http://dci-sec.org/saml/attribute/fqan/primary
Example:
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/fqan/primary">
<AttributeValue xsi:type="emi:fqan">/dteam/italy/Role=VO-Admin</AttributeValue>
</Attribute>
VOMS generic attribute
This multi-valued attribute represents the list of VOMS generic attributes assigned to the subject.
Name:
http://dci-sec.org/saml/attribute/voms-ga
Example:
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/voms-ga">
<AttributeValue xsi:type="emi:voms-generic-attribute">
<name xsi:type="xs:string">nickname</name>
<value xsi:type="xs:string">andrea</value>
<scope xsi:type="emi:fqan">/atlas/production</scope>
</AttributeValue>
<AttributeValue xsi:type="emi:voms-generic-attribute">
<name xsi:type="xs:string">telephone-number</name>
<value xsi:type="xs:string">+39 051 111111</value>
</AttributeValue>
</Attribute>
--
AndreaCeccanti - 12-Oct-2010