Versions Compared

Old Version 21

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user David Walker (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Requested attributes in SP metadata are sometimes used by the IdP to make runtime decisions with respect to attribute release. Along with other user interface elements, requested attributes are also used to construct the user consent page at the IdP (if one exists). It is recommended that all SP metadata contain the SP's required and optional attributes, a described in this document.

At runtime, requested attributes may be presented to the user on the consent page. The user will be asked whether or not the requested attributes should be released to the SP, so care should be taken to request only those attributes actually needed by the service.

Image RemovedImage Added

The administrative interface has input fields for one or more requested attributes. By submitting these fields, the administrator adds the corresponding attributes to metadata.

From the drop-down menu labeled Attribute Name, simply choose the desired attribute. If the chosen attribute is eduPersonAffiliation or is eduPersonEntitlement, an optional Attribute Values field will appear. Enter the requested attribute value(s) (if any) separated by commas. Repeat the input process for each requested attribute.

Next to each requested attribute is a checkbox labeled "isRequiredRequired?" . If the the requested attribute is a required attribute, check the checkbox. In If you do that case, an isRequired="true" XML attribute will be inserted into the corresponding <md:RequestedAttribute> element. If the "isRequiredRequired?" checkbox is not checked, an isRequired XML attribute is not inserted into the <md:RequestedAttribute> element.

...

Code Block
xml
xml
<!-- Requested Attributes for InCommon SPs -->
<md:AttributeConsumingService index="1"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <md:ServiceName xml:lang="en">...</md:ServiceName>
  <md:ServiceDescription xml:lang="en">...</md:ServiceDescription>
  <!-- SAML V2.0 attribute syntax -->
  <md:RequestedAttribute isRequired="true"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
      FriendlyName="eduPersonPrincipalName"/>
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:2.16.840.1.113730.3.1.241"
      FriendlyName="displayName"/>
</md:AttributeConsumingService>

...

Note
titleThe isRequired XML Attribute

Note In the above example, note that the (optional) isRequired XML attribute is included on one of the <md:RequestedAttribute> element has been elements but omitted from the other. This is just an example. Indeed, InCommon metadata does not support the isRequired attribute since there is no software that supports this feature in SP You, the deployer, must decide whether or not to include the isRequired XML attribute on any <md:RequestedAttribute> elements in metadata.

The <md:ServiceName> and <md:ServiceDescription> child elements of the <md:AttributeConsumingService> element correspond to the <mdui:DisplayName> and <mdui:Description> child elements of the <mdui:UIInfo> element, respectively. The administrator enters a single pair of values that the software synchronizes across both pairs of elements. See the User Interface Elements topic for more detail about the <mdui:UIInfo> element.

...