Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure Custom Attributes in SP metadata

I came to know that in any SSO Solution if SP needs any additional attributes it can publish them in its metadata using AttributeConsumingService argument. The required attributes can now be added like as below:

<md:AttributeConsumingService index="0"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:ServiceName xml:lang="en">ABC</md:ServiceName>
<md:ServiceDescription xml:lang="en">ABC</md:ServiceDescription>
<md:RequestedAttribute isRequired="true"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:2.5.4.42"
FriendlyName="FirstName"/>
</md:AttributeConsumingService>

Now, if I want to add a custom attribute in my SP metadata, lets say "Role" of a user, how should I add it in the metadata? I mean, what would be its Name(this is what I'm unable to find!), NameFormat(is it urn:oasis:names:tc:SAML:2.0:attrname-format:uri?) and FriendlyName(can I give it as "Role" here?). I've not found anything related to this in the SAML2Core document.

Any suggestions please!

Thanks,

Abhilash

like image 406
abhilash Avatar asked Apr 28 '14 07:04

abhilash


People also ask

What is SP metadata in SAML?

SAML metadata is the data that describes the information needed to communicate with a SAML endpoint. The service provider metadata contains URLs of endpoints, information about supported bindings, identifiers, and public keys.

What are attributes in SAML?

An attribute is a characteristic or trait of an entity that describes the entity. It is a name:value pair. The attributes included in the SAML assertion correspond to certain attributes of the service provider to: Convey user information from Verify to the service provider .

What is SP metadata XML?

The SP metadata . xml file contains all of the keys, services and URLs defining the SAML endpoints. You can use your IdP's SP metadata file generator if it has one.


1 Answers

There is no universal answer as it depends on which IDP/federation you use and what is supported by it.

Generally, the friendly name is just a human-readable identifier for the attribute and the value can be freely defined.

The NameFormat and Name are defined based on Attribute Profile used by your IDP (e.g. Basic profile, X.500/LDAP Profile, ...). The expected values can be found in SAML 2.0 profiles document chapter 8.

You can find an example of how this is employed in practice for e.g. inCommon federation in their documentation.

like image 113
Vladimír Schäfer Avatar answered Sep 30 '22 16:09

Vladimír Schäfer