[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: comment on SAML V2.0 X.500/LDAP Attribute Profile: attribute options
Hello, the LDAPv3 directory information models defines an
"attribute description" as
An attribute description is composed of an attribute type
and a set of zero or more attribute options.
Examples of valid attribute descriptions:
2.5.4.0
cn;lang-de;lang-en
owner
in section 2.5 of RFC 4512.
Attribute option is described in section 2.5.2 of
RFC 4512, and section 2.5.2.1 of RFC 4512 states that
Attributes held in the directory can have attribute
descriptions with any number of tagging options.
One example of a tagging option is the language tag,
as defined in RFC 3866.
In the "SAML V2.0 X.500/LDAP Attribute Profile"
Committee Draft 01, 19 December 2006,
section 2.3 states that
"Since X.500 procedures require that every attribute type be
identified with a unique OBJECT IDENTIFIER, this naming scheme
ensures that the derived SAML attribute names are unambiguous."
While an LDAP attribute _type_ has a unique OBJECT IDENTIFIER,
an LDAP attribute _description_ does not. Thus the derived SAML
names for LDAP attributes are not ambiguous, as two attributes
with different attribute descriptions but the same attribute types
have the same attribute type OID.
E.g., the LDAP attribute
givenName;lang-en: Steven
would generate the SAML attribute
<saml:Attribute xmlns:x500="urn:...X500" NameFormat="urn:...uri"
Name="urn:oid:2.5.4.42" FriendlyName="givenName;lang-en"
x500:Encoding="LDAP">
<saml:AttributeValue xsi:type="xsd:string">Steven</saml:AttributeValue>
</saml:Attribute>
As section 2.3.1 states that the FriendlyName does not participate
in matching SAML attributes, this would suggest that the tagging
options are ignored when comparing SAML attribute names. Is this
the intention?
Mark Wahl
Informed Control Inc.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]