FYI an attribute discussion related to cloud identity
From: cloud-directory@googlegroups.com
[mailto:cloud-directory@googlegroups.com] On Behalf Of Paul Madsen
Sent: Wednesday, December 07, 2011 9:24 AM
To: cloud-directory@googlegroups.com
Subject: Re: SAML Binding for SCIM revisited
I raised the issue (and proposal) on the SSTC SAML list and there was 'push
back' from Scott Cantor and others as to SCIM imposing a new set of
attribute names for SAML, as opposed to reusing existing SAML Attribute
profiles, eg . eduPerson's homePostalAddress and corresponding SAML
Attribute.
FWIW, I agree with the general premise that a binding of SCIM to SAML
should, where possible, leverage existing SAML constructs.
It would be (theoretically) possible for the SAML Binding for SCIM to simply
consist of a table of SCIM attributes and corresponding pre-existing SAML
attribute names.
Thoughts on this alternative?
paul
On 12/5/11 12:37 PM, Paul Madsen wrote:
In looking at the SAML binding more closely, the limitations of the existing
model have become apparent.
Fundamentally, trying to map complex structures into flat attributes is
difficult.
In discussions with colleagues Brian & Travis, we've come up with a proposal
that seems to serve. Specifically, the proposal is to use an 'XPath-ish'
syntax to represent the position of a given SAML attribute within a notional
SCIM XML representation - this XPath expression inserted into the SAML
Attribute Name.
Below are examples of SAML attributes for the different types of SCIM
attributes - distinguished by simple/complex & single/multi-value to cover
the full SCIM continuum of complexity
The SAML Attribute NameFormat value is the namespace URN for the
corresponding SCIM attribute, either SCIM or relevant extension.
Thoughts?
paul
-----------------------------------------------
<!-- single & simple -->