OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Best practice for embedding complex trees into SAML attributes

Hi all, I'm working on a SAML binding for SCIM (simplecloud.info) - enabling JIT provisioning as an alternative to the SCIM provisioning API.

The challenge is mapping the (relatively) complex SCIM schema constructs into SAML's attributes.

Current proposal is to use an XPath _expression_ as the value of the SAML Attribute Name to represent its position in a notional SCIM XML representation of a user.

So, for a SCIM document like

<SCIM>
    <externalId>701984</externalId>
    <name>
        <formatted>Ms. Babs J Jensen III</formatted>
    </name>
    <emails>
        <email type="work" primary="true">bjensen@example.com</email>
        <email type="home">babs@jensen.com</email>
    </emails>
    <addresses>
        <address type="work" primary="true">
            <formatted>100 Universal City Plaza, Hollywood, CA 91608 USA</formatted>
        </address>
        <address type="work" primary="true">
            <formatted>100 Universal City Plaza, Hollywood, CA 91608 USA</formatted>
        </address>
    </addresses>     
</SCIM>

we'd get the following SAML Attributes

<saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="externalId">
       <saml:AttributeValue xsi:type="xs:string">701984</saml:AttributeValue>
  </saml:Attribute>
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="name/formatted">
       <saml:AttributeValue xsi:type="xs:string">Ms. Babs J Jensen III</saml:AttributeValue>
  </saml:Attribute>
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="emails/email[@type='work' and @primary='true']">
       <saml:AttributeValue xsi:type="xs:string">bjensen@example.com</saml:AttributeValue>
  </saml:Attribute>
 
  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="emails/email[@type='home']">
       <saml:AttributeValue xsi:type="xs:string">babs@jensen.com</saml:AttributeValue>
  </saml:Attribute>

  <saml:Attribute NameFormat="urn:scim:schemas:core:1.0" Name="addresses/address[@type='work' and @primary='true']/formatted">
       <saml:AttributeValue xsi:type="xs:string">100 Universal City Plaza, Hollywood, CA 91608 USA</saml:AttributeValue>
  </saml:Attribute>

Alternatively, shove the complete SCIM document in the SAML AttributeValue.....

SCIM is clearly not the first time this issue has arisen. Best practice?
--
Paul Madsen  |  Sr Technical Architect
PingIdentity  |   www.pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
O: +1.303.396.6209   M: +1 303.818.0185
Email: pmadsen@pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Connect with Ping
Twitter: @pingidentity
LinkedIn Group: Ping's Identity Cloud    
Facebook.com/pingidentitypage
Connect with me
Twitter: @paulmadsen

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]