[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: comment on SAML V2.0 X.500/LDAP Attribute Profile: attribute options
Hello, the LDAPv3 directory information models defines an "attribute description" as An attribute description is composed of an attribute type and a set of zero or more attribute options. Examples of valid attribute descriptions: 22.214.171.124 cn;lang-de;lang-en owner in section 2.5 of RFC 4512. Attribute option is described in section 2.5.2 of RFC 4512, and section 126.96.36.199 of RFC 4512 states that Attributes held in the directory can have attribute descriptions with any number of tagging options. One example of a tagging option is the language tag, as defined in RFC 3866. In the "SAML V2.0 X.500/LDAP Attribute Profile" Committee Draft 01, 19 December 2006, section 2.3 states that "Since X.500 procedures require that every attribute type be identified with a unique OBJECT IDENTIFIER, this naming scheme ensures that the derived SAML attribute names are unambiguous." While an LDAP attribute _type_ has a unique OBJECT IDENTIFIER, an LDAP attribute _description_ does not. Thus the derived SAML names for LDAP attributes are not ambiguous, as two attributes with different attribute descriptions but the same attribute types have the same attribute type OID. E.g., the LDAP attribute givenName;lang-en: Steven would generate the SAML attribute <saml:Attribute xmlns:x500="urn:...X500" NameFormat="urn:...uri" Name="urn:oid:188.8.131.52" FriendlyName="givenName;lang-en" x500:Encoding="LDAP"> <saml:AttributeValue xsi:type="xsd:string">Steven</saml:AttributeValue> </saml:Attribute> As section 2.3.1 states that the FriendlyName does not participate in matching SAML attributes, this would suggest that the tagging options are ignored when comparing SAML attribute names. Is this the intention? Mark Wahl Informed Control Inc.