The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Requested Attributes in Metadata

Requested attributes in SP metadata are used by the IdP to make runtime decisions with respect to attribute release. Along with other user interface elements, requested attributes are also used to construct the user consent page at the IdP.

At runtime, requested attributes may be presented to the user on the consent page. The user will be asked whether or not the requested attributes should be released to the SP, so care should be taken to request only those attributes actually needed by the service.

However, there is no capability at the present time to express the need for one of a choice of attributes, or to indicate optionality. Rather, SPs should enumerate all the attributes their service will make use of, and leave the final decision up to the IdP based on what it supports and is willing to release or delegate to the user to decide. For example, if the SP accepts either "cn" or "displayName", both should be listed.

The administrative interface has input fields for one or more requested attributes. By submitting these fields, the administrator adds the corresponding attributes to metadata.

From the drop-down menu labeled Attribute Name, simply choose the desired attribute. If the chosen attribute is eduPersonAffiliation, eduPersonEntitlement, or eduPersonScopedAffiliation, an optional Attribute Values field will appear. Enter the requested attribute value(s) (if any). Repeat the input process for each requested attribute.

Once the Save button is pressed, an <md:AttributeConsumingService> element (containing <md:RequestedAttribute> elements) is inserted into your metadata. Two <md:RequestedAttribute> elements will be inserted into metadata for every attribute chosen from the drop-down menu. See below for details.

Technical Details

The SAML V2.0 Metadata specification (one of the SAML V2.0 family of specifications) supports zero or more <md:AttributeConsumingService> elements each containing one or more <md:RequestedAttribute> elements in SP metadata. These static elements are used to communicate SP attribute requirements to IdPs.

InCommon metadata supports at most one <md:AttributeConsumingService> element. An example follows:

<!-- Requested Attributes for InCommon SPs -->
<md:AttributeConsumingService index="1"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <md:ServiceName xml:lang="en">...</md:ServiceName>
  <md:ServiceDescription xml:lang="en">...</md:ServiceDescription>
  <!-- SAML V1.1 attribute syntax -->
  <md:RequestedAttribute
      NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"
      Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
      FriendlyName="eduPersonPrincipalName"/>
  <md:RequestedAttribute
      NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"
      Name="urn:mace:dir:attribute-def:displayName"
      FriendlyName="displayName"/>
  <!-- SAML V2.0 attribute syntax -->
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
      FriendlyName="eduPersonPrincipalName"/>
  <md:RequestedAttribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:2.16.840.1.113730.3.1.241"
      FriendlyName="displayName"/>
</md:AttributeConsumingService>

Note that two <md:RequestedAttribute> elements are inserted into metadata for every attribute selected from the interface. One of those attributes is a SAML1 attribute while the other is a SAML2 attribute. The IdP will automatically choose one or the other depending on the protocol used.

The isRequired XML Attribute

Note that the (optional) isRequired XML attribute on the <md:RequestedAttribute> element has been omitted from the example. Indeed, InCommon metadata does not support the isRequired attribute since there is no IdP software that supports this feature in SP metadata.

The <md:ServiceName> and <md:ServiceDescription> child elements of the <md:AttributeConsumingService> element correspond to the <mdui:DisplayName> and <mdui:Description> child elements of the <mdui:UIInfo> element, respectively. The administrator enters a single pair of values that the software synchronizes across both pairs of elements. See the User Interface Elements topic for more detail about the <mdui:UIInfo> element.

Software Support

uApprove 2.2 (and later) consumes the <md:AttributeConsumingService> element (containing <md:RequestedAttribute> elements) in SP metadata. The requested attributes in metadata are displayed to the user on the consent page.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels