SAML Attribute Consuming Services

In SAML, requested attributes can be conveyed in two ways:

  1. Via the requested attributes extension in the AuthnRequest, see here‚Äč

  2. Via Attribute Consuming Services in the metadata, and (optionally) an AttributeConsumingServiceIndex in the request

It is good to know that the Signicat Identity broker supports both methods. Via the requested attributes extension comes as part of the AuthnRequest and requires no additional configuration beforehand.

In case the SAML Identity Provider of your choice only supports via Attribute Consuming Services in the metadata, the Attribute Consuming Services need to be configured. Our user interface helps easily define those.

First, create a SAML attribute consuming service in the configuration-app:

Create a SAML Attribute Consuming service
  • The name can be used to clearly describe for which service you need the specified attributes.

  • The index will be used to convey to the IdentityProvider which attribute consuming service to use, using the AttributeConsumingServiceIndex.

  • Default: in case selected, this AttributeConsumingService will be requested by default (in case no AttributeConsumingServiceIndex is sent)

  • Attributes: the attributes that you require for your service (Check with the SAML Identity Provider of your choice, whether it supports these attributes)

After that is done, the metadata will be updated. To view the broker metadata, go to the configured SAML Identity Provider (in Authentication Providers) or configure a SAML Identity Provider.

SAML IdentityProvider configuration screen

In the SAML Identity Provider configuration screen, click on the button to get the broker metadata.

In the metadata the AttributeConsumingService has been added:

AttributeConsumingService in the metadata

Send the new metadata file to the SAML Identity Provider.