[mdx] syntax for entity-attributes
Tom Scavo
trscavo at gmail.com
Mon Sep 5 09:37:08 PDT 2011
On Mon, May 23, 2011 at 3:03 AM, Leif Johansson <leifj at mnt.se> wrote:
>
> Today the MDX query string supports a simple query syntax.
>
> mdx-url = url-prefix '/' query
> query = 1*(tag '+') / entityID / hash(entityID)
>
> Increasingly entity attributes are used to add context to
> EntityDescriptor elements and it would be nice to have a way
> to query for those.
>
> I propose the following: allow a tag to be formatted according
> to one of
>
> (1) '{' name-format '}' name '=' value
> (2) name '=' value
> (3) value
Coming back to this (after some months) because I don't think it was
fully resolved last time and I happen to need it now ;-)
A number of default values for name-format were discussed for case (2)
but the only one that really makes any sense to me is
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
The interesting case is case (3). It can be interpreted in at least
two ways: a) there is some assumed default value for name, or b) the
given value is actually an anonymous entity attribute (I believe what
Leif called a "social tag" in his original post). I've gone down both
paths (conceptually) and they both pretty much arrive at the same
place. So I'll propose (a) since it's the more natural interpretation
and it fully aligns with Chad's original spec.
Specifically, assume the following default value for name in case (3):
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
Then case (3) is actually a shorthand for the following entity attribute:
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute>
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
<saml:AttributeValue>http://example.org/idp/saml</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
but of course this entity attribute would be redundant in metadata
since its value is already carried in the entityID XML attribute on
the <md:EntityDescriptor> element. At any rate, the case (3)
representation for an entityID is itself (which is consistent with the
original spec).
Now what about Leif's "social tags"? I'm not sure what is meant by
that term exactly, but consider the following example.
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute>
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://names.incommon.org/attribute/entity/entity-role">
<saml:AttributeValue>sp</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://names.incommon.org/attribute/entity/entity-role">
<saml:AttributeValue>idp</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
Since the entity-role attribute is implied by the role descriptors
contained in the <md:EntityDescriptor> element, there is no benefit
derived from explicitly asserting these entity attributes in metadata,
but in any event, we arrive at the following case (2) representations:
http://names.incommon.org/attribute/entity/entity-role=sp
http://names.incommon.org/attribute/entity/entity-role=idp
I guess any "social tag" could be represented in this way.
In summary, the defaults for case (1) are
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
and
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
respectively. Everything else requires a full case (1) representation.
Does this seem reasonable?
Perhaps more important than the representation is the standardization
of entity attribute names. I wish there were a way to register or
propose standard names. Thoughts?
Tom
More information about the mdx
mailing list