Requested Attributes in Metadata
Technical Details
Standard SAML metadata supports zero or more <md:AttributeConsumingService>
elements each containing one or more <md:RequestedAttribute>
elements in SP metadata. These static elements are used to communicate SP attribute requirements to IdPs.
InCommon metadata supports at most one <md:AttributeConsumingService>
element. An example follows:
<!-- Requested Attributes for InCommon SPs --> <md:AttributeConsumingService index="1" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <md:ServiceName xml:lang="en">...</md:ServiceName> <md:ServiceDescription xml:lang="en">...</md:ServiceDescription> <!-- SAML V1.1 attribute syntax --> <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" FriendlyName="eduPersonPrincipalName"/> <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:mace:dir:attribute-def:displayName" FriendlyName="displayName"/> <!-- SAML V2.0 attribute syntax --> <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName"/> <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName"/> </md:AttributeConsumingService>
Note that two <md:RequestedAttribute>
elements are inserted into metadata for every attribute selected from the interface. One of those attributes is a SAML1 attribute while the other is a SAML2 attribute. The IdP will automatically choose one or the other depending on the protocol.