urn:oid how to find this?
1,328 views
Skip to first unread message
Joe Tyler
Jun 13, 2016, 4:08:14 PM6/13/16
to SimpleSAMLphp
This is probably a dumb question, but how do I find the urn:oid of each of my attributes that I'm sending to the SP? Thanks for the help. -- Joe
Keith Hazelton
Jun 13, 2016, 4:11:40 PM6/13/16
to simple...@googlegroups.com
Search for your attribute in eduPerson (201602) or schac
The oid is listed in the attribute definition. --Keith
--
email & jabber: keith.h...@wisc.edu
calendar: http://go.wisc.edu/i6zxx0
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
simplesamlph...@googlegroups.com.
To post to this group, send email to
simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Peter Schober
Jun 13, 2016, 6:05:11 PM6/13/16
to SimpleSAMLphp
* Joe Tyler <joseph...@gmail.com> [2016-06-13 22:08]:
instance must already know those URIs. If your question is how SSP
does this, have a look at the files in the attributemap folder in your
SSP installation, e.g. name2oid.php
https://github.com/simplesamlphp/simplesamlphp/tree/master/attributemap
Stuff that's *not* in those files is unlikely to be released by your
IDP -- unless you configured the URI explicity yourself.
For the more general question Keith's suggestion is very useful for
eduPerson and many IETF-defined attributes. (See also e.g. RFC 4519 or
4524).
The SCHAC schema https://wiki.refeds.org/display/stan/SCHAC also
includes OIDs for defined attributes (and object classes) in the
released specification, though SSP does not have an up-to-date list of
SCHAC attribute names and OIDs in the attributemaps, IIRC.
For everything else "it depends", as usual.
-peter
> This is probably a dumb question, but how do I find the urn:oid of
> each of my attributes that I'm sending to the SP? Thanks for the
> help. -- Joe
If you're sending them to the SP with urn:oid:... names then your SSP
> each of my attributes that I'm sending to the SP? Thanks for the
> help. -- Joe
instance must already know those URIs. If your question is how SSP
does this, have a look at the files in the attributemap folder in your
SSP installation, e.g. name2oid.php
https://github.com/simplesamlphp/simplesamlphp/tree/master/attributemap
Stuff that's *not* in those files is unlikely to be released by your
IDP -- unless you configured the URI explicity yourself.
For the more general question Keith's suggestion is very useful for
eduPerson and many IETF-defined attributes. (See also e.g. RFC 4519 or
4524).
The SCHAC schema https://wiki.refeds.org/display/stan/SCHAC also
includes OIDs for defined attributes (and object classes) in the
released specification, though SSP does not have an up-to-date list of
SCHAC attribute names and OIDs in the attributemaps, IIRC.
For everything else "it depends", as usual.
-peter
Joe Tyler
Jun 13, 2016, 9:45:19 PM6/13/16
to SimpleSAMLphp, peter....@univie.ac.at
I'm the IDP in this scenario and the SP is requesting the urn:oid that we'll be using as the UUUID. It's not a typical attribute, as it's not in the attributemap or any of the other links provided. It is however, the best UUUID in our environment. Since it's not in the mapping and I can't find it documented elsewhere, must I give up and use a different attribute?
Joe Tyler
Jun 13, 2016, 9:53:02 PM6/13/16
to SimpleSAMLphp, peter....@univie.ac.at
The attribute in question is 'extensionAttribute1'.
Peter Schober
Jun 13, 2016, 10:45:07 PM6/13/16
to SimpleSAMLphp
* Joe Tyler <joseph...@gmail.com> [2016-06-14 03:45]:
formal/on-the-wire attribute the SP wants you to put in a SAML
Assertion? Then that's the name of the attribute you send.
Or is it the local name of some piece of data you're looking up (at
the IDP) using an LDAP directory or an RDBMS? Then that's what you use
as input to an attributemap call, mapping it to the required
on-the-wire attribute name.
Taking literally what you said so far, the SP requested from you to
send them an attribute named "extensionAttribute1" but with /another/
name they did not tell you and which you can't find. What?!
And they're specifically requesting from you to send them an attribute
with no meaning or defintion whatsoever?
This is all very silly.
If the SP is in a position to dictate the name of attributes you have
to generate then that SP should also provide you with that name, i.e.,
the *literal* *string* you should send. Why the guesswork? (Any why
should other people now do the guesswork on your behalf?)
They cannot sensibly request a name and not tell you what that name
is.
A quick web search indicates that "extensionAttribute1" is some M$
thing that obviously tries to avoid the need to create custom
attributes in MS-Active Directory (because people fear having to do
that in M$ land, from what I hear). So if you're really asking:
"What OID has Microsoft assigned to their attribute 'extensionAttribute1'?"
then I'd suggest asking that in a forum that deals with Microsoft
stuff, no?
Or searching the web for a schema definion, if M$ publishes that.
(Of course you'd only need to do that if asking the SP what string
they want you to send is not an option, for some weird, unexplicable
reason.)
-peter
> I'm the IDP in this scenario and the SP is requesting the urn:oid that
> we'll be using as the UUUID. It's not a typical attribute, as it's not in
> the attributemap or any of the other links provided. It is however, the
> best UUUID in our environment. Since it's not in the mapping and I can't
> find it documented elsewhere, must I give up and use a different attribute?
* Joe Tyler <joseph...@gmail.com> [2016-06-14 03:53]:
> we'll be using as the UUUID. It's not a typical attribute, as it's not in
> the attributemap or any of the other links provided. It is however, the
> best UUUID in our environment. Since it's not in the mapping and I can't
> find it documented elsewhere, must I give up and use a different attribute?
> The attribute in question is 'extensionAttribute1'.
What role does the string "extensionAttribute1" play here? Is that the
formal/on-the-wire attribute the SP wants you to put in a SAML
Assertion? Then that's the name of the attribute you send.
Or is it the local name of some piece of data you're looking up (at
the IDP) using an LDAP directory or an RDBMS? Then that's what you use
as input to an attributemap call, mapping it to the required
on-the-wire attribute name.
Taking literally what you said so far, the SP requested from you to
send them an attribute named "extensionAttribute1" but with /another/
name they did not tell you and which you can't find. What?!
And they're specifically requesting from you to send them an attribute
with no meaning or defintion whatsoever?
This is all very silly.
If the SP is in a position to dictate the name of attributes you have
to generate then that SP should also provide you with that name, i.e.,
the *literal* *string* you should send. Why the guesswork? (Any why
should other people now do the guesswork on your behalf?)
They cannot sensibly request a name and not tell you what that name
is.
A quick web search indicates that "extensionAttribute1" is some M$
thing that obviously tries to avoid the need to create custom
attributes in MS-Active Directory (because people fear having to do
that in M$ land, from what I hear). So if you're really asking:
"What OID has Microsoft assigned to their attribute 'extensionAttribute1'?"
then I'd suggest asking that in a forum that deals with Microsoft
stuff, no?
Or searching the web for a schema definion, if M$ publishes that.
(Of course you'd only need to do that if asking the SP what string
they want you to send is not an option, for some weird, unexplicable
reason.)
-peter
Joe Tyler
Jun 14, 2016, 11:51:40 AM6/14/16
to SimpleSAMLphp, peter....@univie.ac.at
Thanks for the quick responses. extensionAttribute1 is a field in our LDAP directory (which we chose as our UUUID), but they are asking for the urn:oid of that attribute which we'll be sending them. I believe we've found the oid for extensionAttribute1 (urn:oid:1.2.840.113556.1.2.423), using an LDAP browser. I've added this in the attributemap.php file. Do you know if there is anything else I must do to make it work with a custom attribute mapping? -- Joe
Peter Schober
Jun 15, 2016, 7:21:10 PM6/15/16
to SimpleSAMLphp
* Joe Tyler <joseph...@gmail.com> [2016-06-14 17:51]:
one thing (as described previousy). Setting the nameforat to uri in
metadata/saml20-idp-hosted.php (or possibly
metadata/saml20-sp-remote.php) another.
-peter
> I've added this in the attributemap.php file. Do you know if there
> is anything else I must do to make it work with a custom attribute
> mapping?
Other than? Actually using the attributemap auth pro filter would be
> is anything else I must do to make it work with a custom attribute
> mapping?
one thing (as described previousy). Setting the nameforat to uri in
metadata/saml20-idp-hosted.php (or possibly
metadata/saml20-sp-remote.php) another.
-peter
Joe Tyler
Jun 16, 2016, 11:24:17 AM6/16/16
to SimpleSAMLphp, peter....@univie.ac.at
I added the code below to the saml20-idp-hosted.php file, but I'm not seeing it in my metadata via the web interface. I would assume I should be?
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
Peter Schober
Jun 17, 2016, 12:44:43 PM6/17/16
to SimpleSAMLphp
* Joe Tyler <joseph...@gmail.com> [2016-06-14 17:51]:
If it doesn't clearly stating so wouldn't hurt.
* Joe Tyler <joseph...@gmail.com> [2016-06-16 17:24]:
filter worked. So does it or not?
-peter
> I've added this in the attributemap.php file. Do you know if there
> is anything else I must do to make it work with a custom attribute
> mapping?
How about you try it and tell is whether it works or not.
> is anything else I must do to make it work with a custom attribute
> mapping?
If it doesn't clearly stating so wouldn't hurt.
* Joe Tyler <joseph...@gmail.com> [2016-06-16 17:24]:
> I added the code below to the saml20-idp-hosted.php file, but I'm
> not seeing it in my metadata via the web interface. I would assume I
> should be?
No idea whether it should. The important thing though is whether the
> not seeing it in my metadata via the web interface. I would assume I
> should be?
filter worked. So does it or not?
-peter
Reply all
Reply to author
Forward
0 new messages