# SAML Requested Attributes
Page contents
# Introduction
The context of requestedAttributes depends on the ID method used.
There are three mechanisms for determining the requestedAttributes:
AttributeConsumingServiceIndex: TheAttributeConsumingServiceIndexin theAuthnRequestis used to look up theAttributeConsumingServicefrom the metadata from the connection. TheRequestedAttributesfrom theAttributeConsumingServicewill be used.RequestedAttributeSAML extension: TheRequestedAttributeselement from theAuthnRequestis used. (See the official specification here (opens new window) )- Using Broker services (more information will follow later).
# AttributeConsumingServiceIndex examples
# AttributeConsumingServiceIndex with AuthnRequest
<samlp:AuthnRequest AttributeConsumingServiceIndex="1"></samlp:AuthnRequest>
# AttributeConsumingServiceIndex and with Metadata
<md:EntityDescriptor>
<md:SPSSODescriptor>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Example Service</md:ServiceName>
<md:RequestedAttribute isRequired="true" Name="firstName"/>
<md:RequestedAttribute Name="email"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Note
The isRequired attribute is discarded.
# RequestedAttribute examples
# RequestedAttribute
<samlp:AuthnRequest>
<samlp:Extensions>
<req-attr:RequestedAttributes>
<md:RequestedAttribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>User</saml:AttributeValue>
<saml:AttributeValue>Administrator</saml:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</samlp:Extensions>
</samlp:AuthnRequest>
Note
AttributeValues are discarded for requestedAttributes ('User' and 'Administrator' are ignored).
# Additional parameters
Apart from regular requested attributes, the AuthnRequest to Signicat may contain additional parameters in the Extensions in the form of RequestedAttributes. To process these, the name of the RequestedAttribute should be of the form signicat:param:parametername. These can optionally contain a string type value.
For example, you can specify the language via additional parameters:
<saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<req-attr:RequestedAttributes xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr">
<md:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
Name="signicat:param:language"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
>
<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xsi:type="xsd:string">fi</saml2:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</saml2p:Extensions>
# Prefilled subject information
Another feature is the option to pass prefilled information about the subject, for example:
<samlp:Extensions>
<req-attr:RequestedAttributes>
<md:RequestedAttribute isRequired="true"
Name="firstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
...
<md:RequestedAttribute Name="signicat:prefilled:subject">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">subject@test.com</saml:AttributeValue>
</md:RequestedAttribute>
<md:RequestedAttribute isRequired="false"
Name="signicat:prefilled:phone">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">1234567890</saml:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</samlp:Extensions>
# Provider discovery
In some cases, ID methods are comprised of a network of identity providers (or issuers), such as banks, that collectively offer authentication to their customers. You may want to offer your end-users only a limited number of these providers, when the end-users authenticate with an ID method.
To control the providers you make available for each authentication session, use the RequestedAttribute in your SAML 2.0 request.
Below, you can find an overview of the available parameters for each ID method:
| ID method | Parameter | Providers |
|---|---|---|
| iDIN | idin_idp | View the list of iDIN issuers (banks) active in your account at https://<YOUR_ACCOUNT_DOMAIN>.com/broker/authn/idin/issuers, where <YOUR_ACCOUNT_DOMAIN> is the domain you registered in the Signicat Dashboard Domain management (opens new window). |
| FTN | ftn_idp | View the list of FTN issuers in the ID method documentation for FTN. |
For example, when authenticating end-users with the Finnish Trust Network (FTN), you can choose which banks to include in the authentication process. To restrict the banks available to end-users during authentication, you can build your request as shown below:
<saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<req-attr:RequestedAttributes xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr">
<md:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
Name="signicat:param:ftn_idp"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
>
<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xsi:type="xsd:string">fi-aktia</saml2:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</saml2p:Extensions>
In this case, ftn_idp attribute is set to only make fi-aktia (Aktia bank) available to your end-users during authentication.
You can find more details for each ID method in the respective ID method documentation.