Requested Attributes (SAML)
Information about which attributes the login flow should deliver.
The meaning of the information is dependent on the Authn Connector. There are three mechanisms for determining the RequestedAttributes:
  1. 1.
    AttributeConsumingServiceIndex: The AttributeConsumingServiceIndex in the AuthnRequest is used to look up the AttributeConsumingService from the metadata from the connection. The RequestedAttributes from the AttributeConsumingService will be used.
  2. 2.
    RequestedAttribute SAML extension: The RequestedAttributes element from the AuthnRequest is used. (See the official specification here.)

Example AttributeConsumingServiceIndex with AuthnRequest

<samlp:AuthnRequest AttributeConsumingServiceIndex="1"></samlp:AuthnRequest>

Example AttributeConsumingServiceIndex and with Metadata

<md:EntityDescriptor>
<md:SPSSODescriptor>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Example Service</md:ServiceName>
<md:RequestedAttribute isRequired="true" Name="firstName"/>
<md:RequestedAttribute Name="email"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>

Gives:

{
"requestedAttributes": [
"firstName",
"email"
]
}

Example RequestedAttribute

<samlp:AuthnRequest>
<samlp:Extensions>
<req-attr:RequestedAttributes>
<md:RequestedAttribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>User</saml:AttributeValue>
<saml:AttributeValue>Administrator</saml:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</samlp:Extensions>
</samlp:AuthnRequest>

Gives:

{
"requestedAttributes": [
"firstName", "lastName", "role"
]
}
Copy link
Outline