287905 – Proposed claim encoding profile for SAML 1.1 tokens

Bug 287905 - Proposed claim encoding profile for SAML 1.1 tokens

Summary: Proposed claim encoding profile for SAML 1.1 tokens

Status:	ASSIGNED

Alias:	None

Product:	z_Archived
Classification:	Eclipse Foundation
Component:	Higgins (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Sergey Lyakhov
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-08-27 22:17 EDT by Paul Trevithick
Modified:	2016-11-09 16:27 EST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Trevithick

2009-08-27 22:17:57 EDT

Implement what's in this memo:

Proposed claim encoding profile for SAML 1.1 tokens

The Simple Identity Provider (SIP) Profile in Section 7 of the IMI 1.0 standard specifies that its claims shall be encoded in SAML 1.1 tokens by breaking the claim name URL into two parts:  the final component of the URL, which is encoded as the SAML 1.1 AttributeName, and all components before the final slash, which are encoded as the SAML 1.1 AttributeNamespace.  Likewise, the claim name is constructed from a SAML 1.1 token by concatenating the AttributeNamespace  + "/" + AttributeName.  However, this algorithm does not admit the possibility of claim names that are URIs but not URLS, such as those used by the Internet2 EduPerson schemas -- for instance urn:mace:dir:attribute-def:givenName -- and other X.500 based attribute systems.

Shibboleth uses a convention borrowed from SAML 2.0 to handle this case:  If the AttributeNamespace value is urn:oasis:names:tc:SAML:2.0:attrname-format:uri, then the AttributeName is to be interpreted as a (standalone) URI.  In this case, the claim name would be simply the AttributeName.  (This URN is defined in 8.2.2 of the SAML 2.0 spec, where it is used as a NameFormat value.)  Likewise, for backwards compatibility reasons, if the AttributeNamespace value is urn:mace:shibboleth:1.0:attributeNamespace:uri, the interpretation is the same, with the AttributeName being the claim name.

This SAML 1.1 token profile proposes that:
1.	Implementations MUST utilize the entire claim URI as the claim name.
2.	Implementations SHOULD accept claims encoded using the conventions in the Simple Identity Provider (SIP) profile (with the concatenation of the AttributeNamespace a slash and the AttributeName values constituting the claim name).
3.	Implementations SHOULD recognize the two AttributeNamespace values of urn:oasis:names:tc:SAML:2.0:attrname-format:uri and urn:mace:shibboleth:1.0:attributeNamespace:uri as meaning that the AttributeName is the entire claim name URI.
4.	When encoding a claim name that is not a URL, implementations SHOULD use an AttributeNamespace of urn:oasis:names:tc:SAML:2.0:attrname-format:uri and an AttributeName that is the URI.
5.	When encoding a claim name that is a URL, implementations are free to use either the SIP convention from IMI 1.0 or the urn:oasis:names:tc:SAML:2.0:attrname-format:uri convention.

Note:  Maximum interoperability is likely to be achieved by (1) using URL-valued claims, and (2) encoding URL-valued claims by using the SIP convention, since this is what has been implemented by the Windows Communication Foundation and other Web Services stacks that interoperate with it, as well as by the Higgins Project and other popular open source implementations.

References:
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-protocols-200509.pdf
https://spaces.internet2.edu/display/InCNIH/NIH+Shibboleth+1.3+IDP+Configuration