...
Requested attributes in SP metadata are sometimes used by the IdP to make runtime decisions with respect to attribute release. Along with other user interface elements, requested attributes are also used to construct the user consent page at the IdP (if one exists).
At runtime, requested attributes may be presented to the user on the consent page. The user will be asked whether or not the requested attributes should be released to the SP, so care should be taken to request only those attributes actually needed by the service.
...
From the drop-down menu labeled Attribute Name, simply choose the desired attribute. If the chosen attribute is eduPersonAffiliation
, or eduPersonEntitlement
, or eduPersonScopedAffiliation
, an optional Attribute Values field will appear. Enter the requested attribute value(s) (if any) separated by commas. Repeat the input process for each requested attribute.
Once the Save button is pressed, an <md:AttributeConsumingService>
element (containing <md:RequestedAttribute>
elements) is inserted into your metadata. Two One <md:RequestedAttribute>
elements element will be inserted into metadata for every attribute chosen from the drop-down menu. See below for details.
...
InCommon metadata supports at most one <md:AttributeConsumingService>
element. An example follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- Requested Attributes for InCommon SPs --> <md:AttributeConsumingService index="1" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <md:ServiceName xml:lang="en">...</md:ServiceName> <md:ServiceDescription xml:lang="en">...</md:ServiceDescription> <!-- SAML V1.1 attribute syntax --> <md:RequestedAttribute NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" FriendlyName="eduPersonPrincipalName"/> <md:RequestedAttribute NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri" Name="urn:mace:dir:attribute-def:displayName" FriendlyName="displayName"/> <!-- SAML V2.0 attribute syntax --> <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName"/> <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName"/> </md:AttributeConsumingService> |
Note that two one <md:RequestedAttribute>
elements are element is inserted into metadata for every attribute selected from the interface. One of those attributes is a SAML1 attribute while the other Each <md:RequestedAttribute>
element inserted into metadata is a SAML2 attribute. The IdP will automatically choose one or the other depending on the protocol used-formatted attribute. SAML1-formatted <md:RequestedAttribute>
elements in metadata are not supported.
Note | ||
---|---|---|
| ||
Note that the (optional) |
...