Thursday, July 26, 2007

New SAML V2.0 X.500/LDAP Attribute Profile

pencil icon, that"s clickable to start editing the post

There's a new version of the SAML V2.0 X.500/LDAP Attribute Profile. It can also be found on the TC homepage under Additional Profiles, Bindings, and Extensions Being Produced by the SSTC. The document has been through a 60 day review that ended on March 7 2007, approximately 2.5 months ago (the document carries the data 19 December 2006 both in text and PDF Document properties).

Now why on earth is there a new version and what's wrong with the old one? The SAML V2.0 Errata - Approved Errata Committee Draft 02 22 May 2007 is where to look. But before going into the errata, why couldn't this be fixed with normal errata so that a complete new version was needed? In the errata document it states:

As required by the OASIS Technical Committee Process, the approved errata represent changes that are not “substantive”. The changes focus on clarifications to ambiguous or conflicting specification text, where different compliant implementations might have reasonably chosen different interpretations. The intent of the Security Services TC has been to resolve such issues in service of improved interoperability based on implementation and deployment experience.

So extending this must mean that the TC must think that is need for a substantive changes. I guess it's nice with a rewritten document, so that newcomers don't need to trawl the errata. At first I couldn't really figure out what was new/wrong, because in the errate there are three issues with the X.500/LDAP Attribute profile:

  • E39: Error in SAML Profile Example
  • E48: Clarification on Encoding for Binary Values in LDAP Profile
  • E53: Correction to LDAP/X.500 Profile Attribute

where the last issue deprecates [SAMLProf] Section 8.2 (lines 1677-1799). The note on E53 says "This attribute profile is deprecated because of a flaw that makes it schema-invalid", ahem, but what exactly is the flaw? I started by a general search but found nothing, then i looked at the public mail archives in hope that i would have been described there but nothing there as well. Then I startet getting some sense when I looked at the other two issues.

The issue E39: Error in SAML Profile Example is weird in itself. This is under XACML Attribute Profile but shows that a single SAML attribute can conform to multiple attribute profiles when they are compatible with each other. To be honest this sounds confusing to me, but I haven't really digged the deeper knowledge of attribute profiles and that's something I look forward to. This is in the profiles specification but the namespace for the X.500/LDAP Attribute profile is wrong. It's not urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP but urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500. This aside the point should be to place the encoding attribute based on the X.500/LDAP Attribute profile on the correct element, but it turns out to exactly the opposite, by placing it on saml:AttributeValue.

The second issue E48: Clarification on Encoding for Binary Values in LDAP Profile is a clarification for non utf-8 encoded LDAP attributes, but that could be fixed with an updated paragraph, so what is the flaw in E53?.

It wasn't until i discovered the non-normative “errata composite” profiles document I became sure. The problem is in the paragraph:

To represent the encoding rules in use for a particular attribute value, the <AttributeValue> element contain an XML attribute named Encoding defined in the XML namespace urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500. (See [E53] for an issue with this attribute.)

It's sort of inconsistent that the example isn't annotated as well, but the original example (prepared for direct XML Schema validation) in section 8.2.6, gives the following validation error with Xerces.

cvc-type.3.1.1: Element 'saml:AttributeValue' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to '' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'x500:Encoding' was found.

It doesn't allow the encoding attribute on the AttributeValue element. In the assertion schema the declaration for <AttributeValue> is defined as

<element name="AttributeValue" type="anyType" nillable="true"/>

the element content is flexible since it's of anyType but there is no extendability for attributes. Whereas the <Attribute> element is defined as:

<element name="Attribute" type="saml:AttributeType"/>
<complexType name="AttributeType">
      <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
   <attribute name="Name" type="string" use="required"/>
   <attribute name="NameFormat" type="anyURI" use="optional"/>
   <attribute name="FriendlyName" type="string" use="optional"/>
   <anyAttribute namespace="##other" processContents="lax"/>

Here's room for extra attributes with the <anyAttribute>. The updated example from the new document does validate.

    1 <?xml version="1.0" encoding="utf-8"?>
    2 <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
    3    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
    4    Name="urn:oid:"
    5    FriendlyName="givenName"
    6    x500:Encoding="LDAP"
    7    xmlns:xsi=""
    8    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    9    xmlns:xsd=""
   10    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
   11    urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500">
   12   <saml:AttributeValue xsi:type="xsd:string">Steven</saml:AttributeValue>
   13 </saml:Attribute>

So in summary, the original profile dictates that the attribute should be placed on the wrong element and it's followed in the example. This is corrected in the new document, but I can't see why this couldn't be treated with normal errata, but that must be due to the OASIS guidelines. The original XACML example should be corrected as well, including the erroneous namespace to a valid XACML Attribute profile example.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <saml:Attribute
    3   xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
    4   xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
    5   xacmlprof:DataType=""
    6   x500:Encoding="LDAP"
    7   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
    8   Name="urn:oid:"
    9   FriendlyName="givenName"
   10   xmlns:xsi=""
   11   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   12   xmlns:xs=""
   13   xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
   14   urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML
   15   urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500">
   16   <saml:AttributeValue xsi:type="xs:string">By-Tor</saml:AttributeValue>
   17 </saml:Attribute>