EMI Web>EmiProjectStructure>JRA1>EmiJra1>EmiJra1T4Security>EmiJra1T4SAML>CommonSAMLProfileV1_0 (2011-02-24, unknown)

EditAttachPDF

Common Virtual Organization Attribute Profile version 1.0

The EMI Common VO attribute profile defines the representation of VO membership attributes as SAML attributes.

Required information

Identification: http://dci-sec.org/saml/profile/virtual-organization/1.0

Contact information: emi-jra1-sec-saml@eu-emiNOSPAMPLEASE.eu

Description: Given below.

Updates: None.

SAML Attribute naming

The NameFormat XML attribute in <Attribute> elements MUST be

urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Attribute name comparison

Two <Attribute> elements refer to the same SAML attribute if and only if their Name XML attribute values are equal in the sense of URI matching rules (RFC 3986).

Profile specific XML attributes

No additional XML attributes are defined for use with the <Attribute> element.

Profile specific XML data types

The following XML schema types are used in this profile

<?xml version="1.0" encoding="UTF-8"?>
<schema 
    targetNamespace="http://dci-sec.org/saml/profile/virtual-organization/1.0" 
    elementFormDefault="qualified" xmlns="http://www.w3.org/2001/XMLSchema" 
    xmlns:dci-sec="http://dci-sec.org/saml/profile/virtual-organization/1.0">
        
    <annotation>
        <documentation></documentation>
    </annotation>

    <simpleType name="group">
        <restriction base="string">
            <pattern value="(/\w[-_.\w]*)+"/>
        </restriction>
    </simpleType>

    <simpleType name="role">
        <restriction base="string">
          <pattern value="\w[-_.\w]*"/>
        </restriction>
    </simpleType>

   <simpleType name="vo">
        <restriction base="string">
          <pattern value="\w[-_.\w]*"/>
        </restriction>
    </simpleType>
    
    <attribute name="scope" type="dci-sec:group"/>
    
</schema>

Attribute definitions

Virtual organization (VO)

This multi-valued attribute represents the SAML assertion subject's virtual organization membership.

Name: http://dci-sec.org/saml/attribute/virtual-organization

The <AttributeValue> elements (of type dci-sec:vo) define the name of the VO the subject is member of.

Example:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/virtual-organization">
  <AttributeValue xsi:type="dci-sec:vo">atlas</AttributeValue>
  <AttributeValue xsi:type="dci-sec:vo">example.vo.org</AttributeValue>
</Attribute>

Groups

This multi-valued attribute represents the SAML assertion subject's VO group membership.

Name: http://dci-sec.org/saml/attribute/group

The <AttributeValue> elements (of type dci-sec:group) define the VO groups the subject is member of.

Example:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/group"> 
  <AttributeValue xsi:type="dci-sec:group">/atlas</AttributeValue>
  <AttributeValue xsi:type="dci-sec:group">/atlas/it</AttributeValue>
</Attribute>

Constraints:

The first path element of each group must be equal to the VO name, i.e., if the VO name is atlas each group must start with the path /atlas.

Primary group

This single-valued attribute represents the SAML assertion subject's primary group membership.

Name: http://dci-sec.org/saml/attribute/group/primary

The <AttributeValue> element (of type dci-sec:group) defines the primary group for the subject.

Constraints:

The value expressed by this attribute MUST also appear in the http://dci-sec.org/saml/attribute/group attribute included in the SAML assertion.

Example:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/group/primary"> 
  <AttributeValue xsi:type="dci-sec:group">/atlas/it</AttributeValue>
</Attribute>

Roles

This multi-valued attribute represents the roles assigned to the subject.

Name: http://dci-sec.org/saml/attribute/role

The <AttributeValue> elements (of type dci-sec:role) define the roles the subject is member of. Each <AttributeValue> MUST be scoped to a group using the dci-sec:scope attribute.

Constraints:

The group pointed by the dci-sec:scope attribute must appear in the http://dci-sec.org/saml/attribute/group attribute included in the SAML assertion.

Example:

<Attribute 
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"    
   Name="http://dci-sec.org/saml/attribute/role">
   
   <AttributeValue 
   xsi:type="dci-sec:role" 
   dci-sec:scope="/atlas/it">lcgadmin</AttributeValue>
   
</Attribute>

Primary role

This single-valued attribute represents the SAML assertion subject's primary role membership.

Name: http://dci-sec.org/saml/attribute/role/primary

The <AttributeValue> element (of type dci-sec:role) defines the primary role for the subject. The <AttributeValue> MUST be scoped to a group, using the dci-sec:scope attribute.

Constraints:

All the constraints specfied for the http://dci-sec.org/saml/attribute/role attribute values apply to this attribute.
The value expressed by this attribute MUST also appear in the http://dci-sec.org/saml/attribute/role attribute included in the SAML assertion.

Example:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://dci-sec.org/saml/attribute/role/primary"> 

   <AttributeValue 
      xsi:type="dci-sec:role" 
      dci-sec:scope="/atlas/it">lcgadmin</AttributeValue>

</Attribute>

-- AndreaCeccanti - 20-Feb-2011

Topic revision: r2 - 2011-02-24 - unknown

Public webs

- Cern Search
- TWiki Search
- Google Search
EMI All webs

Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback