# SAML Requested Attributes
Page contents
# Introduction
The context of requestedAttributes
depends on the ID method used.
There are three mechanisms for determining the requestedAttributes
:
AttributeConsumingServiceIndex
: TheAttributeConsumingServiceIndex
in theAuthnRequest
is used to look up theAttributeConsumingService
from the metadata from the connection. TheRequestedAttributes
from theAttributeConsumingService
will be used.RequestedAttribute
SAML extension: TheRequestedAttributes
element from theAuthnRequest
is used. (See the official specification here (opens new window) )- Using Broker services (more information will follow later).
# AttributeConsumingServiceIndex examples
# AttributeConsumingServiceIndex with AuthnRequest
<samlp:AuthnRequest AttributeConsumingServiceIndex="1"></samlp:AuthnRequest>
# AttributeConsumingServiceIndex and with Metadata
<md:EntityDescriptor>
<md:SPSSODescriptor>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Example Service</md:ServiceName>
<md:RequestedAttribute isRequired="true" Name="firstName"/>
<md:RequestedAttribute Name="email"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Note
The isRequired
attribute is discarded.
# RequestedAttribute examples
# RequestedAttribute
<samlp:AuthnRequest>
<samlp:Extensions>
<req-attr:RequestedAttributes>
<md:RequestedAttribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<md:RequestedAttribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>User</saml:AttributeValue>
<saml:AttributeValue>Administrator</saml:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</samlp:Extensions>
</samlp:AuthnRequest>
Note
AttributeValues
are discarded for requestedAttributes
('User' and 'Administrator' are ignored).
# Additional parameters
Apart from regular requested attributes, the AuthnRequest
to Signicat may contain additional parameters in the Extensions
in the form of RequestedAttributes
. To process these, the name of the RequestedAttribute
should be of the form signicat:param:parametername
. These can optionally contain a string type value.
For example, you can specify the language via additional parameters:
<saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<req-attr:RequestedAttributes xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr">
<md:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
Name="signicat:param:language"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
>
<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xsi:type="xsd:string">fi</saml2:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</saml2p:Extensions>
# Prefilled subject information
Another feature is the option to pass prefilled information about the subject, for example:
<samlp:Extensions>
<req-attr:RequestedAttributes>
<md:RequestedAttribute isRequired="true"
Name="firstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
...
<md:RequestedAttribute Name="signicat:prefilled:subject">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">subject@test.com</saml:AttributeValue>
</md:RequestedAttribute>
<md:RequestedAttribute isRequired="false"
Name="signicat:prefilled:phone">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">1234567890</saml:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</samlp:Extensions>
# Provider discovery
In some cases, ID methods are comprised of a network of identity providers (or issuers), such as banks, that collectively offer authentication to their customers. You may want to offer your end-users only a limited number of these providers, when the end-users authenticate with an ID method.
To control the providers you make available for each authentication session, use the RequestedAttribute
in your SAML 2.0 request.
Below, you can find an overview of the available parameters for each ID method:
ID method | Parameter | Providers |
---|---|---|
iDIN | idin_idp | View the list of iDIN issuers (banks) active in your account at https://<YOUR_ACCOUNT_DOMAIN>.com/broker/authn/idin/issuers , where <YOUR_ACCOUNT_DOMAIN> is the domain you registered in the Signicat Dashboard Domain management (opens new window). |
FTN | ftn_idp | View the list of FTN issuers in the ID method documentation for FTN. |
For example, when authenticating end-users with the Finnish Trust Network (FTN), you can choose which banks to include in the authentication process. To restrict the banks available to end-users during authentication, you can build your request as shown below:
<saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<req-attr:RequestedAttributes xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr">
<md:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
Name="signicat:param:ftn_idp"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
>
<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xsi:type="xsd:string">fi-aktia</saml2:AttributeValue>
</md:RequestedAttribute>
</req-attr:RequestedAttributes>
</saml2p:Extensions>
In this case, ftn_idp
attribute is set to only make fi-aktia
(Aktia bank) available to your end-users during authentication.
You can find more details for each ID method in the respective ID method documentation.