Versions Compared

Old Version 5

changes.mady.by.user Aras Kazemi

Saved on

compared with

New Version 6

changes.mady.by.user Aras Kazemi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SAML Attribute Representation

SAML Attribute Format

When attributes defined in this specification are used, the following requirements apply:

  • The <saml:Attribute> element represents an attribute in SAML 2.0.
  • The NameFormat attribute MUST have the value urn:oasis:names:tc:SAML:2.0:attrnameformat:uri.
  • The Name attribute MUST contain a URI as defined in this specification. Attribute names are expressed as URIs in the form of URLs.
  • The FriendlyName attribute is OPTIONAL.
  • The data type of the <AttributeValue> element is xs:string using UTF-8 encoding, unless otherwise specified in the attribute definition table. The type MAY be explicitly declared using xsi:type="xs:string".
  • Attributes marked as non-multi-valued MUST NOT contain more than one <AttributeValue> element.
  • Attributes marked as multi-valued MAY contain multiple <AttributeValue> elements.
  • String matching SHOULD be performed using the caseIgnoreMatch rule as defined in X.520.

Scoped Attributes

A scoped attribute expresses its value as a string of the form value@scope, where the scope represents the Identity Provider's security domain.

The scope typically corresponds to the organization’s domain name, but is not limited to it, and MUST be declared in the Identity Provider's metadata (the <shibmd:Scope> element).

An Identity Provider that releases scoped attributes MUST be authorized to use the corresponding scope values. Such scopes MUST be registered with the federation and, upon approval by the federation operator, included in the Identity Provider's metadata.

A Relying Party consuming a scoped attribute SHOULD verify that the issuing IdP is authorized to assert the given scope. This verification is performed by checking the Identity Provider's metadata entry, as described in Section 2.1.4 Scope of the SAML WebSSO Technology Profile.

Example

The following example illustrates how attributes defined in this specification may be represented in a SAML 2.0 assertion issued by an Identity Provider.

...

    <saml2:AttributeValue 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xsi:type="xs:string">
        vole-x2h5-qmgi@minorganisation.se7803e459-881d-416f-a57c-4ce5eda0b79b@example.org
    </saml2:AttributeValue>

...

Namehttps://openfed.se/attributes/subject-id
Friendly Namesubject-id
Data Typexs:string
Multi-valuedNO
ScopedYES
Referenceurn:oasis:names:tc:SAML:attribute:subject-id
Example123456787803e459-abcd881d-1234416f-ef00a57c-1234567890ab@example4ce5eda0b79b@example.org

pairwise-id

The attribute is a technical identifier assigned by the subject’s home organization to uniquely identify the subject on a per–Relying Party basis.

...