OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: proposed new X.500/LDAP attribute profile text


Below is the text version of proposed mods to section 8.2 of the profiles
doc on the X.500/LDAP attribute profile.  Most changes reflect comments
from Steven Legg.  The only substantive change is that the Encoding XML
attribute is now applied to the AttributeValue element, since it might be
value-specific.  The hairy language regarding LDAP syntaxes and such
should be more correct now, if not more understandable.

I also propose that this be named "X500" rather than "LDAP"  since it is
specifically written to cover (potentially) all X.500 attribute
definitions, not just LDAP-specific ones (though that's all it does at the
moment).  So, assuming no objections to that, I'll also submit a
sstc-saml-schema-x500-2.0.xsd to replace the current
sstc-saml-schema-ldap-2.0.xsd (no change to content).

 - RL "Bob"

---


8.2 X.500/LDAP Attribute Profile

Directories based on the ITU-T X.500 specifications [X.500] and the
related IETF Lightweight Directory Access Protocol specifications [LDAP]
are widely deployed.  Directory schema is used to model information to be
stored in these directories.  In particular, in X.500, attribute type
definitions are used to specify the syntax and other features of
attributes, the basic information storage unit in a directory (this
document refers to these as "directory attributes").  Directory attribute
types are defined in schema in the X.500 and LDAP specifications
themselves, schema in other public documents (such as the
Internet2/Educause EduPerson schema [eduPerson], or the inetOrgperson
schema [RFC2798]), and schema defined for private purposes.  In any of
these cases, it is useful for deployers to take advantage of these
directory attribute types in the context of SAML attribute statements,
without having to manually create SAML-specific attribute definitions for
them, and to do this in an interoperable fashion.

The X.500/LDAP attribute profile defines a common convention for the
naming and representation of such directory attribute types when expressed
as SAML attributes.

8.2.1 Required Information

Identification: urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500 (this
is also the target namespace assigned in the corresponding X.500/LDAP
profile schema document [SAMLX500-xsd])

Contact information: security-services-comment@lists.oasis-open.org
Description: Given below.
Updates: None.

8.2.2 SAML Attribute Naming

The NameFormat XML attribute in <Attribute> elements MUST be
urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

To construct SAML attribute names, the URN oid namespace described in IETF
RFC 3061 [RFC3061] is used. In this approach the Name XML attribute is
based on the OBJECT IDENTIFIER assigned to the directory attribute type.

Example:
urn:oid:2.5.4.3

Since X.500 procedures require that every directory attribute type be
identified with a unique OBJECT IDENTIFIER, this naming scheme ensures
that the derived SAML attribute names are unambiguous.

For purposes of human readability, there may also be a requirement for
some applications to carry an optional string name together with the OID
URN. The optional XML attribute FriendlyName (defined in [SAMLCore]) MAY
be used for this purpose.  If the definition of the directory attribute
type includes one or more descriptors (short names) for the attribute
type, the FriendlyName value, if present, SHOULD be one of the defined
descriptors.

8.2.2.1 Attribute Name Comparison

Two <Attribute> elements refer to the same SAML attribute if and only if
their Name XML attribute values are equal in the sense of [RFC3061]. The
FriendlyName attribute plays no role in the comparison.

8.2.3 Profile-Specific XML Attributes

An additional XML attribute is defined in the XML namespace
urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500 for use with the
<AttributeValue> element:

Encoding [Optional]

The value of this XML attribute specifies the encoding used for the
associated SAML attribute value.

Only one value of this XML attribute is defined at this time: "LDAP". This
specifies the use of the LDAP-specific encoding for this directory
attribute value, as described in Section 8.2.4. Future versions of this
profile may define additional encoding methods and will assign other
values for this attribute.

8.2.4 SAML Attribute Values

Directory attribute type definitions for use in native X.500 directories
specify the syntax of the attribute using ASN.1 [ASN.1].  For use in LDAP,
directory attribute definitions additionally include an LDAP syntax which
specifies how attribute or assertion values conforming to the syntax are
to be represented when transferred in the LDAP protocol (known as an
LDAP-specific encoding).  The LDAP-specific encoding commonly produces
Unicode characters in UTF-8 form. This SAML attribute profile specifies
the form of SAML attribute values only for those directory attributes
which have LDAP syntaxes. Future extensions to this profile may define
attribute value formats for directory attributes whose syntaxes specify
other encodings.

For any directory attribute with a syntax whose LDAP-specific encoding
exclusively produces UTF-8 character strings as values, the SAML attribute
value is encoded as simply the UTF-8 string itself, as the content of the
<AttributeValue> element, with no additional whitespace. In such cases,
the xsi:type XML attribute MUST be set to xs:string. The profile-specific
Encoding XML attribute is provided, with a value of LDAP.  A list of some
LDAP attribute syntaxes to which this applies is:

Attribute Type Description	1.3.6.1.4.1.1466.115.121.1.3
Bit String			1.3.6.1.4.1.1466.115.121.1.6
Boolean			1.3.6.1.4.1.1466.115.121.1.7
Country String			1.3.6.1.4.1.1466.115.121.1.11
DN 				1.3.6.1.4.1.1466.115.121.1.12
Directory String			1.3.6.1.4.1.1466.115.121.1.15
Facsimile Telephone Number 	1.3.6.1.4.1.1466.115.121.1.22
Generalized Time		1.3.6.1.4.1.1466.115.121.1.24
IA5 String			1.3.6.1.4.1.1466.115.121.1.26
INTEGER			1.3.6.1.4.1.1466.115.121.1.27
LDAP Syntax Description	1.3.6.1.4.1.1466.115.121.1.54
Matching Rule Description	1.3.6.1.4.1.1466.115.121.1.30
Matching Rule Use Description	1.3.6.1.4.1.1466.115.121.1.31
Name And Optional UID	1.3.6.1.4.1.1466.115.121.1.34
Name Form Description	1.3.6.1.4.1.1466.115.121.1.35
Numeric String			1.3.6.1.4.1.1466.115.121.1.36
Object Class Description	1.3.6.1.4.1.1466.115.121.1.37
Octet String			1.3.6.1.4.1.1466.115.121.1.40
OID				1.3.6.1.4.1.1466.115.121.1.38
Other Mailbox			1.3.6.1.4.1.1466.115.121.1.39
Postal Address			1.3.6.1.4.1.1466.115.121.1.41
Presentation Address		1.3.6.1.4.1.1466.115.121.1.43
Printable String			1.3.6.1.4.1.1466.115.121.1.44
Substring Assertion		1.3.6.1.4.1.1466.115.121.1.58
Telephone Number		1.3.6.1.4.1.1466.115.121.1.50
UTC Time			1.3.6.1.4.1.1466.115.121.1.53

For all other LDAP attribute syntaxes, the attribute value is encoded, as
the content of the <AttributeValue> element, by base64-encoding [RFC2045]
the encompassing ASN.1 OCTET STRING-encoded LDAP attribute value. The
xsi:type XML attribute MUST be set to xs:base64Binary.  The
profile-specific Encoding XML attribute is provided, with a value of LDAP.

When comparing SAML attribute values for equality, the semantics of the
equality matching rule specified for the corresponding directory attribute
type MUST be observed (case sensitivity, for example).

8.2.5 Profile-Specific Schema

The following schema defines the profile-specific Encoding XML attribute:

<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
	xmlns="http://www.w3.org/2001/XMLSchema";
	version="2.0">
	<attribute name="Encoding" type="string"/>
</schema>

8.2.6 Example

The following is an example of a mapping of the "givenName" X.500/LDAP
attribute, representing the SAML assertion subject's given name. Its
OBJECT IDENTIFIER is 2.5.4.42 and its LDAP syntax is Directory String.

<saml:Attribute xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
		NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
		Name="urn:oid:2.5.4.42" FriendlyName="givenName">
	<saml:AttributeValue xsi:type="xs:string" ldapprof:Encoding="LDAP">
		Steven
	</saml:AttributeValue>
</saml:Attribute>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]