Attribute Specification

Innen: KIFÜ Wiki
A lap korábbi változatát látod, amilyen Bajnokk(AT)niif.hu (vitalap | szerkesztései) 2012. január 27., 12:47-kor történt szerkesztése után volt. (Use of attributes)

Goal of the Attribute Specification

In a federation, information about the user is represented in SAML attributes transferred from the Identity Provider to the Service Provider. It is important for both parties to interpret the data in the same way.

Exact definition of the attributes are maintained in the defining schemas. Within this specification, we us the following schema:

This Attribute Specification provides an interpretation of the above documents for federational use. It might be somewhat more specific than the original definition, in order to let the SPs get more specific information about the user.

Beyond the specification, parties may bilaterally agree on any other attributes.


Use of attributes

Glossary

  • Implementing an attribute: an IdP implements an attribute, if the information is available according to the semantics of the specification. Releasing an implemented attribute is simply a policy decision.
  • Attribute release: transferring the information within SAML attributes from the IdP to an SP.

Levels of implementation

  • Mandatory: every IdP must implement the attribute.
  • Recommended: it is recommended for every IdP to implement the attribute, however, it is understood that it might be impossible or very complex for certain IdPs
  • Optional: an IdP may freely implement the attribute, however, the implementation must follow this specification.

Attribute Requirements of the SP

SPs can indicate attribute requirements among the information provided to Resource Registry. This information also shows up in the federation metadata. From the point of view of the SP, an attribute can be:

  • Required: the information is a requirement for the proper operation of the SP application
i.e. eduPersonPrincipalName is often required for applications, which are not prepared for handling opaque identifiers.
  • Desired: the information can add extra functionality to the application or can provide better user experience
i.e. when displayName is transferred, the user is not prompted to supply his or her common name.