No attributes are sent to sp if sp metadata contains “RequestedAttributes”

12 views
Skip to first unread message

Luke P

unread,
Aug 6, 2025, 8:32:35 AMAug 6
to SimpleSAMLphp
Hi.

I have a problem where no attributes are sent from SSPHP to SP if the SP metadata contains “RequestedAttributes”
Have seen this in version 2.3.5, 2.3.7 and now in 2.4.2 though it’s time to sort this out now 😊
A Snipp from the Metadata
    <q1:AttributeConsumingService index="0" isDefault="true">
      <q1:ServiceName xml:lang="da">SP</q1:ServiceName>
      <q1:RequestedAttribute Name="urn:UserName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />
      <q1:RequestedAttribute Name="urn:GivenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />
      <q1:RequestedAttribute Name="urn:Surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />
    </q1:AttributeConsumingService>


I use Metarefresh to download the metadata.

I get the attributes from LDAP so I use AttributeLimit and AttriubuteMap to map the LDAP attributes .

This is how it is configured in module_metarefresh.php
    'authproc' => [
        50 => [
            'class' => 'core:AttributeLimit',
            'default' => true,
            'uid',
            'urn:UserName',
            'Subject_GivenName',
            'urn:GivenName',
            'Subject_Surname',
            'urn:Surname',
        ],
        60 => [
            'class' => 'core:AttributeMap',
            'uid' => 'urn:UserName',
            'Subject_GivenName' => 'urn:GivenName',
            'Subject_Surname' => 'urn:SurName',
           ],
],



The only way to get this to work is to remark ‘attributes’ in saml20-sp-remote.php after metarefresh has downloaded the metadata. ‘attributes.required’ can be left unchanged.

/*
    'attributes' => [
        'urn:UserName',
        'urn:GivenName',
        'urn:SurName',
    ],
*/
    'attributes.required' => [
        'urn:UserName',
        'urn:GivenName',
        'urn:SurName',
    ],



How can I get this to work?

Tim van Dijen

unread,
Aug 7, 2025, 5:06:12 AMAug 7
to SimpleSAMLphp
Hi Luke,

If I remember correctly the `core:AttributeLimit` filter is interfering with the RequestedAttributes from the metadata.
What happens if you remove the filter with index 50 ?

- Tim
Op woensdag 6 augustus 2025 om 14:32:35 UTC+2 schreef captainl...@gmail.com:

Luke P

unread,
Aug 7, 2025, 10:33:46 AMAug 7
to SimpleSAMLphp
Hi Tim

I removed the 50 filter but there was no difference.
I need to manually remark  

/*
    'attributes' => [
        'urn:UserName',
        'urn:GivenName',
        'urn:SurName',
    ],
*/

To get the attributes.

/ Luke
Reply all
Reply to author
Forward
0 new messages