[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: proposed new text for X.500/LDAP attribute profile
Below is proposed new text for the X.500/LDAP attribute profile, based on discussions with some X.500/LDAP experts last week (I sent .sxw format to the editors). The attribute value issue is rather complex, but I think the proposed text will be both more or less correct for now and somewhat future-enabled if more sophisticated ASN.1<->XML methods emerge. The main new thing is adding an "Encoding" XML attribute to the Attribute element, so that the currently-specified LDAP-specific encodings might be changed out later (eg for the RXER encoding included in the XED work). I'm headed off for some vacation, but will check mail occasionally. I won't be on the Tuesday call. - RL "Bob" --- 8.2 X.500/LDAP Attribute Profile Directories based on the ITU-T X.500 specifications [X.500] and the related IETF Lightweight Directory Access Protocol specifications [LDAP] are widely deployed. Organizations using these directories make use of directory schema to model information to be stored in the directories. This includes common schema defined in the X.500 and LDAP specifications themselves, schema defined in other public documents (such as the Internet2/Educause EduPerson schema [eduPersonSchema], or the inetOrgPerson schema [RFC2798]), and schema defined for particular private purposes. In any of these cases, organizations may wish to reuse these schema definitions in the context of SAML attribute statements, and to do so in an interoperable fashion. The X.500/LDAP attribute profile defines a common convention for the naming and representation of such attributes when expressed as SAML attributes. 8.2.1 Required Information Identification: urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP Contact information: security-services-comment@lists.oasis-open.org Description: Given below. Updates: None. 8.2.2 SAML Attribute Naming The NameFormat XML attribute in <AttributeDesignator> and <Attribute> elements MUST be urn:oasis:names:tc:SAML:2.0:attrname-format:uri. To construct attribute names, the URN oid namespace described in [RFC3061] is used. In this approach the Name XML attribute is based on the OBJECT IDENTIFIER assigned to the X.500/LDAP attribute type. Example: urn:oid:2.5.4.3 Since X.500 procedures require that every attribute type be identified with a unique OBJECT IDENTIFIER, this naming scheme ensures that the derived SAML attribute names are unambiguous. For purposes of human readability, there may also be a requirement for some applications to carry an optional string name together with the OID URN. The optional XML attribute FriendlyName (defined in [SAMLCore]) MAY be used for this purpose. If the definition of the X.500/LDAP attribute type includes one or more descriptors (short names) for the attribute type, the FriendlyName value, if present, SHOULD be one of the defined descriptors. 8.2.3 Profile-Specific XML Attributes An XML attribute is defined for the <Attribute> element: Encoding [Optional] This value of this XML attribute specifies the encoding used for the SAML attribute value. Only one value of this attribute is defined at this time: LDAP. This specifies the use of the LDAP-specific encoding for this X.500 attribute value, as described in section 8.2.5. 8.2.4 <AttributeDesignator> Comparison Two <AttributeDesignator> elements are equal if and only if their Name XML attribute values are equal in the sense of [RFC3061]. The FriendlyName attribute plays no role in the comparison. 8.2.5 SAML Attribute Values X.500 attribute definitions for use in native X.500 directories specify the syntax of the attribute using ASN.1 [X.680]. For transfer via the LDAP protocol, attribute definitions may additionally include an LDAP-specific encoding, commonly of Unicode characters in UTF-8 form. This encoding is identified by an LDAP-specific syntax. This SAML attribute profile only specifies the form of SAML attribute values for those attributes for which an LDAP-specific syntax is provided. Future extensions to this profile may define attribute value formats for other X.500-defined attributes. For the following LDAP-specific syntaxes: Attribute Type Description 1.3.6.1.4.1.1466.115.121.1.3 Bit String 1.3.6.1.4.1.1466.115.121.1.6 Boolean 1.3.6.1.4.1.1466.115.121.1.7 Country String 1.3.6.1.4.1.1466.115.121.1.11 DN 1.3.6.1.4.1.1466.115.121.1.12 Delivery Method 1.3.6.1.4.1.1466.115.121.1.14 Directory String 1.3.6.1.4.1.1466.115.121.1.15 DIT Content Rule Description 1.3.6.1.4.1.1466.115.121.1.16 DIT Structure Rule Description 1.3.6.1.4.1.1466.115.121.1.17 Enhanced Guide 1.3.6.1.4.1.1466.115.121.1.21 Facsimile Telephone Number 1.3.6.1.4.1.1466.115.121.1.22 Generalized Time 1.3.6.1.4.1.1466.115.121.1.24 Guide 1.3.6.1.4.1.1466.115.121.1.25 IA5 String 1.3.6.1.4.1.1466.115.121.1.26 INTEGER 1.3.6.1.4.1.1466.115.121.1.27 LDAP Syntax Description 1.3.6.1.4.1.1466.115.121.1.54 Matching Rule Description 1.3.6.1.4.1.1466.115.121.1.30 Matching Rule Use Description 1.3.6.1.4.1.1466.115.121.1.31 Name And Optional UID 1.3.6.1.4.1.1466.115.121.1.34 Name Form Description 1.3.6.1.4.1.1466.115.121.1.35 Numeric String 1.3.6.1.4.1.1466.115.121.1.36 Object Class Description 1.3.6.1.4.1.1466.115.121.1.37 Octet String 1.3.6.1.4.1.1466.115.121.1.40 OID 1.3.6.1.4.1.1466.115.121.1.38 Other Mailbox 1.3.6.1.4.1.1466.115.121.1.39 Postal Address 1.3.6.1.4.1.1466.115.121.1.41 Protocol Information 1.3.6.1.4.1.1466.115.121.1.42 Presentation Address 1.3.6.1.4.1.1466.115.121.1.43 Printable String 1.3.6.1.4.1.1466.115.121.1.44 Substring Assertion 1.3.6.1.4.1.1466.115.121.1.58 Telephone Number 1.3.6.1.4.1.1466.115.121.1.50 Teletex Terminal Identifier 1.3.6.1.4.1.1466.115.121.1.51 Telex Number 1.3.6.1.4.1.1466.115.121.1.52 UTC Time 1.3.6.1.4.1.1466.115.121.1.53 the value of an X.500 attribute of this syntax is encoded as simply the UTF-8 string itself, as the content of the <AttributeValue> element, with no additional whitespace. In such cases, the xsi:type XML attribute MUST be set to xsd:string. The Encoding XML attribute is provided, with a value of "LDAP". For all other LDAP syntaxes, the attribute value is encoded, as the content of the <AttributeValue> element, by base64-encoding [RFC2045] the encompassing ASN.1 OCTET STRING-encoded LDAP attribute value. The xsi:type XML attribute MUST be set to xsd:base64Binary. The Encoding XML attribute is provided, with a value of "LDAP". When comparing SAML attribute values for equality, the matching rules specified for the corresponding X.500/LDAP attribute type MUST be observed (case sensitivity, for example). 8.2.6 Example The following is an example of a mapping of the "givenName" LDAP/X.500 attribute, representing the SAML assertion subject's first name. It's OID is 2.5.4.42 and the syntax is Directory String. <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName" Encoding="LDAP"> <saml:AttributeValue xsi:type="xsd:string">By-Tor</saml:AttributeValue> </saml:Attribute>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]