[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services-comment] comment on SAML V2.0 X.500/LDAP AttributeProfile: attribute options
Scott Cantor wrote: > What is definite is that the FriendlyName is non-normative and would never > be considered itself. Agree. I suggest in section 2.3 around line 102 change "that the derived SAML attribute names are unambiguous" to "that the derived SAML attribute names, for X.500 attribute types and LDAP attribute descriptions without any tagging options, are unambiguous". and one of the following possibilities: (1) add a new paragraph to 2.3 before 2.3.1 "Tagging options on LDAP attribute descriptions are not currently transferred in the Name field of SAML attributes." and add a new sentence to 2.3.1 "However, two SAML attributes resulting from two LDAP attributes with the same attribute type and different attribute descriptions will also match for equality." (2) add a new paragraph to 2.3 before 2.3.1 "This profile only specifies the transfer of X.500 attributes and LDAP attributes in which the attribute descriptions have no tagging options. Other profiles specify how SAML attributes are constructed for LDAP attributes with tagging options in the attribute descriptions." (3) add a new sentence to 2.3.1 "However, two LDAP attributes with the same attribute type and different attribute descriptions will match for equality." and add a new section 2.3.2 2.3.2 Attribute description tagging options If the "binary" attribute description tagging option is present in the LDAP attribute, the LDAP attribute value should be encoded using the base64-encoding, as discussed in section 2.5 below. If a language tag attribute description tagging option [RFC 3866] is present in the LDAP attribute, then the language code from this option can be represented in the XML attribute xml:lang on the <AttributeValue> element. Other profiles specify how SAML attributes are constructed for LDAP attributes with other tagging options. [RFC 3866] Language Tags and Ranges in the Lightweight Directory Access Protocol (LDAP). K. Zeilenga, Ed.. July 2004. BTW for the reference [LDAP]: RFC 3377 is obsoleted by RFC 4510. 4510 Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map. K. Zeilenga. June 2006. Mark Wahl Informed Control Inc.