OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Best practice for embedding complex trees into SAML attributes

Hash: SHA1

On 12/06/2011 07:57 PM, Paul Madsen wrote:
> Hi all, I'm working on a SAML binding for SCIM (simplecloud.info)
> - enabling JIT provisioning as an alternative to the SCIM
> provisioning API.
> The challenge is mapping the (relatively) complex SCIM schema
> constructs into SAML's attributes.

The only way to implement that would be to shove the Name attribute
into an XPath implementation and the result might be very exciting
to debug - XPath just includes too many "features" that could trip you
up and trying to limit yourself to a subset would just defeat the
purpose of using XPath in the first place.

Isn't it better to go for a simpler document/information model and
map directly to attributes? Your only "difficult" issue is how to
handle addresses, right? And those could perhaps be compound values
of some sort. I think LDAP already introduced '$' separated lists
of address components back in the day for that very purpose.

In earlier lives I was involved in similar information modeling
exercise using RDF/OWL for IDM and to put it simply: the market
wasn't ready a level of complexity that went beyond very simple
lists of attribute-value pairs.

	Cheers Leif
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]