[mdx] syntax for entity-attributes

Leif Johansson leifj at sunet.se
Mon Sep 5 10:39:52 PDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/05/2011 06:37 PM, Tom Scavo wrote:
> On Mon, May 23, 2011 at 3:03 AM, Leif Johansson <leifj at mnt.se> wrote:
>>
>> Today the MDX query string supports a simple query syntax.
>>
>> mdx-url = url-prefix '/' query
>> query = 1*(tag '+') / entityID / hash(entityID)
>>
>> Increasingly entity attributes are used to add context to
>> EntityDescriptor elements and it would be nice to have a way
>> to query for those.
>>
>> I propose the following: allow a tag to be formatted according
>> to one of
>>
>> (1) '{' name-format '}' name '=' value
>> (2) name '=' value
>> (3) value
> 
> Coming back to this (after some months) because I don't think it was
> fully resolved last time and I happen to need it now ;-)
> 
> A number of default values for name-format were discussed for case (2)
> but the only one that really makes any sense to me is
> 
> urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Scott argued that point. Quite right.

> 
> The interesting case is case (3). It can be interpreted in at least
> two ways: a) there is some assumed default value for name, or b) the
> given value is actually an anonymous entity attribute (I believe what
> Leif called a "social tag" in his original post). I've gone down both
> paths (conceptually) and they both pretty much arrive at the same
> place. So I'll propose (a) since it's the more natural interpretation
> and it fully aligns with Chad's original spec.
> 
> Specifically, assume the following default value for name in case (3):
> 
> urn:oasis:names:tc:SAML:2.0:nameid-format:entity
> 
> Then case (3) is actually a shorthand for the following entity attribute:
> 
> <mdattr:EntityAttributes
>     xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute>
>  <saml:Attribute
>      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion
>      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>      Name="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>    <saml:AttributeValue>http://example.org/idp/saml</saml:AttributeValue>
>  </saml:Attribute>
> </mdattr:EntityAttributes>
> 
> but of course this entity attribute would be redundant in metadata
> since its value is already carried in the entityID XML attribute on
> the <md:EntityDescriptor> element. At any rate, the case (3)
> representation for an entityID is itself (which is consistent with the
> original spec).

I love it!

> 
> Now what about Leif's "social tags"? I'm not sure what is meant by
> that term exactly, but consider the following example.
> 
> <mdattr:EntityAttributes
>     xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute>
>  <saml:Attribute
>      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion
>      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>      Name="http://names.incommon.org/attribute/entity/entity-role">
>    <saml:AttributeValue>sp</saml:AttributeValue>
>  </saml:Attribute>
>  <saml:Attribute
>      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion
>      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>      Name="http://names.incommon.org/attribute/entity/entity-role">
>    <saml:AttributeValue>idp</saml:AttributeValue>
>  </saml:Attribute>
> </mdattr:EntityAttributes>
> 
> Since the entity-role attribute is implied by the role descriptors
> contained in the <md:EntityDescriptor> element, there is no benefit
> derived from explicitly asserting these entity attributes in metadata,
> but in any event, we arrive at the following case (2) representations:
> 
> http://names.incommon.org/attribute/entity/entity-role=sp
> http://names.incommon.org/attribute/entity/entity-role=idp
> 
> I guess any "social tag" could be represented in this way.

Actually that is not what I had in mind. By 'social tag' I meant to
express a semantic-free "label" that contains folksonomy-driven
information about the entity. For instance some group of people might
assign the label 'archeology' to entities relevant to that community.

> 
> In summary, the defaults for case (1) are
> 
> urn:oasis:names:tc:SAML:2.0:attrname-format:uri
> 
> and
> 
> urn:oasis:names:tc:SAML:2.0:nameid-format:entity
> 
> respectively. Everything else requires a full case (1) representation.
> Does this seem reasonable?

It does. I suspect the most important usecase might be for
resolving entities by accreditation (i.e all OIX LoA1 IdPs).

> 
> Perhaps more important than the representation is the standardization
> of entity attribute names. I wish there were a way to register or
> propose standard names. Thoughts?

I agree. If I had a penny for every time I felt an urge for
a registry of some sort I wouldn't have to work for a living :-)

	Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5lCWcACgkQ8Jx8FtbMZne6yACfRDJxxdFi+rnZrHAOkkPGQcgI
nCsAoIpN/kT7lPFiFc7zdVdftZm5+iEf
=NO0R
-----END PGP SIGNATURE-----

More information about the mdx mailing list