Subject: Re: [security-services] Best practice for embedding complex trees into SAML attributes
Thanks guys, I took your feedback back to SCIM and
we are going to step back & revisit the model - exploring how we
can better leverage existing SAML constructs.|
If you want to directly contribute to that discussion, please do so on SCIM list.
On 12/6/11 6:39 PM, Cantor, Scott wrote:
On 12/6/11 1:57 PM, "Paul Madsen" <email@example.com> wrote:Current proposal is to use an XPath _expression_ as the value of the SAML Attribute Name to represent its position in a notional SCIM XML representation of a user.I echo Leif's objections to actual use of XPath, but it isn't clear from the description of the proposal whether actually evaluating them is really part of the outcome here. It seems more like a convention to establish names of attributes in a relatively systematic way, and might not even formally be XPath necessarily. The proposal to capture the entire structure in one value works on a basic level, certainly, but the fact is that virtually all implementations will simply choke on it. Mine won't, but it's an exception, not the rule. What I will say, since you're asking, is how strongly I object to defining yet another schema for representing a freaking name and email address. We have X.500/LDAP schemas for these things, and we have well-defined names in SAML for those attributes that avoid all the non-stop arguing from people who should have better things to do with their time. Please use them. As an IdP, I will most certainly *not* deploy a bunch of made up names for the same data elements I already support using standard names. If you do this, then in a SAML context, SCIM will just create extra work for me. I'm speaking as a deployer, not as a TC member. The whole point of profiles should be to align to the best practices of the technology you're profiling. -- Scott --------------------------------------------------------------------- To unsubscribe, e-mail: firstname.lastname@example.org For additional commands, e-mail: email@example.com