FYI an attribute discussion related to cloud identity

I raised the issue (and proposal) on the SSTC SAML list and there was 'push back' from Scott Cantor and others as to SCIM imposing a new set of attribute names for SAML, as opposed to reusing existing SAML Attribute profiles, eg . eduPerson's homePostalAddress and corresponding SAML Attribute.

FWIW, I agree with the general premise that a binding of SCIM to SAML should, where possible, leverage existing SAML constructs.

It would be (theoretically) possible for the SAML Binding for SCIM to simply consist of a table of SCIM attributes and corresponding pre-existing SAML attribute names. 

Thoughts on this alternative?

paul

On 12/5/11 12:37 PM, Paul Madsen wrote:

In looking at the SAML binding more closely, the limitations of the existing model have become apparent.

Fundamentally, trying to map complex structures into flat attributes is difficult.

In discussions with colleagues Brian & Travis, we've come up with a proposal that seems to serve. Specifically, the proposal is to use an 'XPath-ish' syntax to represent the position of a given SAML attribute within a notional SCIM XML representation - this XPath expression inserted into the SAML Attribute Name.

Below are examples of SAML attributes for the different types of SCIM attributes - distinguished by simple/complex & single/multi-value to cover the full SCIM continuum of complexity

The SAML Attribute NameFormat value is the namespace URN for the corresponding SCIM attribute, either SCIM or relevant extension.

Thoughts?

paul

-----------------------------------------------
<!-- single & simple -->
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="externalId">
       <saml:AttributeValue xsi:type="xs:string">701984</saml:AttributeValue>
  </saml:Attribute>
 
  <!-- single & complex -->
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="name/formatted">
       <saml:AttributeValue xsi:type="xs:string">Ms. Babs J Jensen III</saml:AttributeValue>
  </saml:Attribute>
 
  <!-- multivalued & simple -->
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="emails/email[@type='work'&primary='true']">
       <saml:AttributeValue xsi:type="xs:string">bjensen@example.com</saml:AttributeValue>
  </saml:Attribute>
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="emails/email[@type='home']">
       <saml:AttributeValue xsi:type="xs:string">babs@jensen.com</saml:AttributeValue>
  </saml:Attribute>

  <!-- multivalued & complex -->

  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="addresses/address[@type='work'&primary='true']/formatted">
       <saml:AttributeValue xsi:type="xs:string">100 Universal City Plaza, Hollywood, CA 91608 USA</saml:AttributeValue>
  </saml:Attribute>
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="addresses/address[@type='work'&primary='true']/streetAddress">
       <saml:AttributeValue xsi:type="xs:string">100 Universal City Plaza</saml:AttributeValue>
  </saml:Attribute>
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="addresses/address[@type='home']/formatted">
       <saml:AttributeValue xsi:type="xs:string">456 Hollywood Blvd, Hollywood, CA 91608 USA</saml:AttributeValue>
  </saml:Attribute>
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="addresses/address[@type='home']/streetAddress">
       <saml:AttributeValue xsi:type="xs:string">456 Hollywood Blvd</saml:AttributeValue>
  </saml:Attribute>
 
  <!-- extension -->
 
  <saml:Attribute NameFormat="urn:scim:schemas:extension:enterprise:1.0" Name="employeeNumber">
       <saml:AttributeValue xsi:type="xs:string">701984</saml:AttributeValue>
  </saml:Attribute>