Common SAML attribute profile phone meeting 09.28.2010
Attendees: Andrea Ceccanti, Aleksander Konstantinov, Valery Tschopp,Krzysztof Benedyczak, Ali Gholami
Short report
Characterisation of SAML usage in existing middleware
- No production use of SAML for gLite and ARC.
- SAML assertions used in UNICORE to carry VO membership attributes that are used for authorization purposes.
Common SAML attribute profile
Chemomentum VO SAML profile is a good starting point but:
- Attribute value syntax quite complex, maybe we can come up with something simpler.
- Does not cover the concept of primary attribute (crucial for existing infrastructure)
Requirements
- Simple mapping of SAML to XACML attributes conforming to the XACML attribute profile rules defined in section 8.5 of SAML profiles document and SAML 2.0 profile of XACML 2.0.
- Definition of scoped attribute values (roles scoped in groups, voms-ga scoped in voms-fqans etc...)
- Definition of VO membership attribute
- Definition of VO group membership attribute
- Definition of VO role posession attribute
- Support for VOMS fqans (bag of fqans + primary fqan)
- Support for VOMS generic attributes
Starting from this requirements here is the link to a strawman proposal on which we can base further discussions:
--
AndreaCeccanti - 28-Sep-2010
Topic revision: r4 - 2010-10-12
- unknown