Declare supported attributes in IdP generated metadata

[Bengt Wällstedt]

To comply with the SAML WebSSO Technology Profile issued by TheSwedish Internet Foundation, the IdP metadata must declare the attributes that can be supplied by the IdP. The attributes should be listed in saml:Attibute elements within the md:IDPSSODescriptor element after SingleSignOnService at the end of the IDPSSODescriptor element as shown in the example:

<md:EntityDescriptor xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://example.com/">

  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    ...

    <md:SingleSignOnService ... />

    <md:NameIDMappingService ... />

     

    <saml:Attribute

      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

      Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"

      FriendlyName="eduPersonPrincipalName">

    </saml:Attribute>

    <saml:Attribute

      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

      Name="urn:oid: 1.3.6.1.4.1.5923.1.1.1.7"

      FriendlyName="eduPersonEntitlement">

        <saml:AttributeValue>

          http://example.com/contracts/HEd123

        </saml:AttributeValue>

    </saml:Attribute>

     

  </md:IDPSSODescriptor>

</md:EntityDescriptor>

Now my question is if this can be done somehow in i.e. saml20-idp-hosted.php so that the list of supported attributes will be included in the metadata that is available in the metadata url. I tried the saml:Extensions but besides being a bit of a hassle when listing many attributes the list ends up in the wrong element in the metadata.

Kind regards

Bengt Wällstedt