问题
We have a SAML 2.0 federated environment (IDP and SP). I would like to generate a custom attribute for assertions created only for one SP. As such, I will not modify the IDP configuration.
The snippet of the SAML Assertion we need to create:
< saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
Name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups">< saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
xsi:type="xsd:string">ABCD
According to SAML2 specifications, we need to modify the SP extended metadata to provide this attribute. The constant string "ABCD" is the attribute we want to send. I've modified as such, but no results. Can anyone provide insight?
< Attribute name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups">
< Value>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|ABCD</Value>< /Attribute>
Also tried:
< Attribute name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
< Value>"ABCD"</Value>< /Attribute>
回答1:
Looking at the metadata spec it seems like you use the following syntax to define what attributes you want from the IDP. Of course the IDP must be configured to allow the export of such attribute to..
<AttributeConsumingService>
<ServiceName xml:lang="en">youname</ServiceName>
<RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:theformat"
Name="theAttributeName"
FriendlyName="humanReadableName"/>
</AttributeConsumingService>
The spec of this is here at page 21 https://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf
来源:https://stackoverflow.com/questions/14367279/generate-custom-attribute-for-one-sp-in-a-saml-2-0-federation-identity