Versions Compared

Old Version 19

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 20

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Requested attributes in SP metadata are sometimes used by the IdP to make runtime decisions with respect to attribute release. Along with other user interface elements, requested attributes are also used to construct the user consent page at the IdP (if one exists).

At runtime, requested attributes may be presented to the user on the consent page. The user will be asked whether or not the requested attributes should be released to the SP, so care should be taken to request only those attributes actually needed by the service.

...

From the drop-down menu labeled Attribute Name, simply choose the desired attribute. If the chosen attribute is eduPersonAffiliation,  or eduPersonEntitlement, or eduPersonScopedAffiliation, an optional Attribute Values field will appear. Enter the requested attribute value(s) (if any) separated by commas. Repeat the input process for each requested attribute.

Once the Save button is pressed, an <md:AttributeConsumingService> element (containing <md:RequestedAttribute> elements) is inserted into your metadata. Two One <md:RequestedAttribute> elements element will be inserted into metadata for every attribute chosen from the drop-down menu. See below for details.

...

InCommon metadata supports at most one <md:AttributeConsumingService> element. An example follows:

Code Block
xml
xml

<!-- Requested Attributes for InCommon SPs -->
<md:AttributeConsumingService index="1"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <md:ServiceName xml:lang="en">...</md:ServiceName>
  <md:ServiceDescription xml:lang="en">...</md:ServiceDescription>
  <!-- SAML V1.1 attribute syntax -->
  <md:RequestedAttribute
      NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"
      Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
      FriendlyName="eduPersonPrincipalName"/>
  <md:RequestedAttribute
      NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"
      Name="urn:mace:dir:attribute-def:displayName"
      FriendlyName="displayName"/>
  <!-- SAML V2.0 attribute syntax -->
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
      FriendlyName="eduPersonPrincipalName"/>
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:2.16.840.1.113730.3.1.241"
      FriendlyName="displayName"/>
</md:AttributeConsumingService>

Note that two one <md:RequestedAttribute> elements are element is inserted into metadata for every attribute selected from the interface. One of those attributes is a SAML1 attribute while the other Each <md:RequestedAttribute> element inserted into metadata is a SAML2 attribute. The IdP will automatically choose one or the other depending on the protocol used-formatted attribute. SAML1-formatted <md:RequestedAttribute> elements in metadata are not supported.

Note
titleThe isRequired XML Attribute

Note that the (optional) isRequired XML attribute on the <md:RequestedAttribute> element has been omitted from the example. Indeed, InCommon metadata does not support the isRequired attribute since there is no software that supports this feature in SP metadata.

...