attributes with friendly names AND OIDs
Steve Moitozo II
attributes with "friendly names" as well as attributes with names that
are OIDs.
I am using SimpleSAMLphp as an IdP and I would like to present my user
attributes with both OIDs and "friendly names" to some SPs the way
openidp.feide.no does.
I am aware of the following configuration stanza in
saml20-idp-hosted.php. However, it seems to convert them, not add
additional attributes with OIDs.
'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
Bottom line, I would like to have attributes with standard schema names
(e.g., cn, displayName, eduPersonPrincipalName) alongside those with OIDs.
Thanks again for all the great work on SimpleSAMLphp!
--
Steve Moitozo
Peter Schober
> I am using SimpleSAMLphp as an IdP and I would like to present my
> user attributes with both OIDs and "friendly names" to some SPs the
> way openidp.feide.no does.
IMO there's no need for short names (your "friendly names") as
attribute names on the wire. SAML2 already has a friendlyName XML
attribute (if you wanted to quickly identify an attribute in an
assertion) and for all other cases your SP can map those to friendly
names.
So IMO you should not be sending out short names, as these don't have
any formal syntax or semantics (what's a "givenName" exactly without a
reference to http://tools.ietf.org/html/rfc4519#section-2.12 ?)
The only reason openidp.feide.no sends out /both/ is that it used to
send only the short name, me pointing out that this violates the
http://saml2int.org/ specs -- from the same author as SSP -- and that
openidp.feide.no is being used by many SPs expecting the old behaviour
(short names), so simply switching to saml2int-compatible behaviour
wasn't desireable.
-peter