Questions about returning roles in the Assertion

Cantor, Scott cantor.2 at
Thu Aug 30 21:42:31 EDT 2012

On 8/30/12 9:14 PM, "Yaowen Tu" <yaowen.tu at> wrote:

>What if in the LDAP it also has role definitions, and defined which users
>belong to which roles. Would it be possible to retrieve a list of roles
>of a particular user?

Not unless you store the role definitions inside the user objects using
isMemberOf or something, or add a connector that queries some attribute of
the role objects using filters based on the userid. I think the normal
approach is to store both ways. Users carry their groups and groups
contain their users, and something else maintains both.

>I am not very familiar with LDAP, so I hope that people in this list have
>done similar things before.

If you're not familiar with it, I'd avoid it, personally. Use a database
if that's what you're comfortable with.

>2) This is more of a general or best practice question: Is it common to
>include role information in the Assertion?

Yes, unless you're from the Burton Group apparently. I just sat through a
presentation today wherein I was told authoritatively that SAML wasn't
designed to carry authorization attributes. Imagine my surprise.

> For existing IdP providers especially those enterprise applications,
>what kind of information is usually included in the Assertion?

It varies widely. Some deployments are purely built on simple identity
data and some include a lot of information beyond that.

-- Scott

More information about the users mailing list