On 10/4/12 4:58 PM, "Sam Hartman" <hartmans(_at_)painless-security(_dot_)com>
wrote:
Any advice from the SAML community on responding to the following
comment from Simon:
If the value is not simple or is empty, then the raw value(s) of the
GSS name attribute MUST be the well-formed serialization of the
<saml:AttributeValue> element(s) encoded as UTF-8. The "display"
values are implementation-defined.
Question: what serialization is intended here? An example here would
make this more clear.
I think that was my text, possibly. I just meant that it's the XML
representation of the element, but well-formed, meaning that you have to
make sure any namespaces are declared, etc. so that if a parser were to
parse that serialization, it would be well-formed XML.
Like, say, this:
<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
FriendlyName="eduPersonTargetedID">
<saml2:AttributeValue>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://idp.example.org/idp/shibboleth"
SPNameQualifier="https://sp.example.org/shibboleth">
84e411ea-7daa-4a57-bbf6-b5cc52981b73
</saml2:NameID>
</saml2:AttributeValue>
</saml2:Attribute>
That's not a simple XML content model. So one such serialization is:
<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://idp.example.org/idp/shibboleth"
SPNameQualifier="https://sp.example.org/shibboleth">
84e411ea-7daa-4a57-bbf6-b5cc52981b73
</saml2:NameID>
</saml2:AttributeValue>
This is NOT the same as canonicalization of course. It's just well-formed
and is one of many possible serializations that would meet the requirement.
I suspect an example for the spec might be simpler. I just didn't have an
example of a complex value to hand, other than that case.
-- Scott