An entity attribute is a SAML attribute associated with a SAML entity (an identity provider or a service provider) in metadata. For example, an entity ID is a distinguished entity attribute associated with every SAML entity in metadata.

Like user attributes, entity attributes serve to label, categorize, and distinguish a particular entity in metadata. Some entity attributes are self-asserted while others are asserted by 3rd parties on behalf of the entity. For instance, a federation operator uses entity attributes to "tag" entities in metadata.

Example

Here is an example of an entity attribute you might find in InCommon metadata:

<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category">
    <saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

In this case, the name of the attribute is http://macedir.org/entity-category and its value is http://id.incommon.org/category/research-and-scholarship. Like all SAML attributes, an entity attribute may be single-valued or multi-valued. (As it turns out, the above entity attribute is multi-valued.)

Uses

Entity attributes are extremely useful. Operationally, entity attributes are used in policy configurations in lieu of entity IDs. The advantages of doing so are overwhelmingly positive.

Entity attributes are also used to refine the discovery interface. For example, an SP can use a particular entity attribute to filter the list of IdPs presented to the user.