The <AttributeConsumingService> element is contained in the <SPSSODescriptor> element and provides information to identity providers for various purposes, primarily related to user awareness of and consent for attribute release. In particular the <RequestedAttribute> element provides the specific attributes that may be requested by the SP. (Note that this does not prohibit the service provider from requesting other attributes. It does, however, enable an IdP to apply policy to such requests and refuse to release other attributes or ask the user for consent.)
<ServiceName><ServiceDescription><RequestedAttribute>
Example:
<AttributeConsumingService index="1">
<ServiceName xml:lang="en">Example Project</ServiceName>
<ServiceDescription xml:lang="en">Server for Example Project</ServiceDescription>
<RequestedAttribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<RequestedAttribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</AttributeConsumingService> |
See SP SSO Settings (SPSSODescriptor) for more information.