RapidIdentity Administrators' and Users' Guide

SAML Attributes

SAML Attributes are added during the setup or editing of a SAML Federation Partner and define attributes which may be released to SAML Relying Parties after a user successfully authenticates.

Technology professionals can view the SAML 2.0 technical overview .

The SAML protocol there are several important aspects, the Identity Provider, SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers.

In the SAML protocol, the Identity Provider (IdP) is in charge of authenticating users and if successful, generating a SAML assertion which relays to the Relying Party that the user has successfully authenticated. Often times this information includes when and how they authenticated, and other information about the user required by the Relying Party. This information about the authenticating user is referred to as the attributes of the authenticating user. Common attributes are user's email address and name, but ultimately the Relying Party must communicate which attributes are required from the Identity Provider to release.

  1. From the Configuration menu, select Identity Providers from the Security menu.

    Security_-_IdPs.png
  2. Expand Identity Providers in the left hand menu items and click Federation Partners.

    Fed_Partners.png
  3. Click Add Federation Partner and select SAML2.0 from the drop-down selector.

    fed_partner_saml2.png
    1. If configuring the SAML Attributes after the Federation Partner has been added, hover and click the edit icon on the far-right column of the workspace.

      saml_edit.png
  4. The current Federation Partners will be displayed in the workspace. Click the SAML Attributes icon in the action buttons at the bottom of the page.

    SAML_Attributes.png

    Note

    The SAML Attributes icon will only display if there are SAML Federation Partners in the system.

  5. The SAML Attributes will load with four separate attribute tabs, LDAP, Static, Name ID, and Static Name ID. Required fields are marked with an asterisk when setting up each attribute.

  6. The first tab is the LDAP Attributes tab. This is where administrators define attributes for values that come directly from LDAP.

    Important

    Administrators define the total pool of attributes which might be allowed to be released to any Relying Party. After the attributes are defined, administrators can choose from the pool which attributes will actually be released to each Relying Party, individually.

    LDAP_Attributes.png
  7. Click the Add LDAP Attribute + button to open the LDAP attribute window.

    create_ldap_attribute.png
    1. LDAP Attribute: The name of the LDAP attribute holding the values which are intended to be released. Each attribute can have one or more values.

    2. SAML Name: The name of the attribute as it will appear in SAML assertions. Different Relying Parties might require the same attribute value, such as a user email address, to be released for them, but could require different names. For example, for a user email address, multiple names such as "EMAIL", "mail", or "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/address."

    3. Friendly Name: This is the name as the LDAP attribute will appear in the SAML Assertion.

    4. Name Format Friendly Name: Select the format value type to be used for the LDAP Attribute Value. SAML Name Formats are typically URIs which convey information to the Relying Party of what format the attribute takes. Depending upon the requirements of the Relying Party, a certain value may or may not be required. This drop-down allows you to choose from some common values or allows you to choose "Custom Name Format" in the event the required value is not one of the provided common values. If the Relying Party does not require a specific value, select "Unspecified."

      name_format_friendly_name.png
      1. Unspecified: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

      2. URI Reference: urn:oasis:names:tc:SAML:2.0:attrname-format:uri

      3. Basic: urn:oasis:names:tc:SAML:2.0:attrname-format:basic

      4. Custom Name Format: The format value is a free form text field to enter the custom name format.

    5. Name Format Value: The format will adjust based on the Name Format Friendly Name selected

  8. The next tab is the Static tab. Static Attributes are attributes whose values are based on values which generally do not change from user to user. For instance, if a Relying Party wants the IdP to release a common value for all users in a particular organization, then a Static Attribute should be used. When using an LDAP Attribute, then every user in your organization must have the attribute on their LDAP entry containing the same value.

    static_attributes.png
  9. Click the Add Static Attribute + button to open the Create Static Attribute window.

    create_static_id_attribute2.png
    1. Friendly Name: This is the name as the Static attribute will appear in the SAML Assertion.

    2. SAML Name: The name of the attribute as it will appear in SAML assertions. Different Relying Parties might require the same attribute value, such as a user email address, to be released for them, but could require different names. For example, for a user email address, multiple names such as "EMAIL", "mail", or "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/address."

    3. Values: Enter the Static Attribute

      1. Click +Add Another Value to enter multiple acceptable values

    4. Resolvable: Allows the static value to contain tokens which can be resolved to real value(s) at the time the SAML Assertion is being generated.

      1. For example, If two Static attributes exist, first being "givenname" that contains a user's first name and the second "sn" which contains a user's surname, then a third attribute can be generated representing the first two attributes. The Relying Party could request that the Identity Provider release an attribute called "name" containing the surname followed by a comma and space, then by the first name. This could be accomplished with a "Resolvable" static attribute where the value is defined as "%sn%, %givenName%."

    5. Name Format Friendly Name: Select the format value type to be used for the Static Attribute Value. Name ID Formats are typically URIs which convey information to the Relying Party of what format the attribute takes. Depending upon the requirements of the Relying Party, a certain value may or may not be required.

      1. Unspecified: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

      2. URI Reference: urn:oasis:names:tc:SAML:2.0:attrname-format:uri

      3. Basic: urn:oasis:names:tc:SAML:2.0:attrname-format:basic

      4. Custom Name Format: If the provided common values in the drop-down do not provide the correct format choose "Custom Name Format." If the Relying Party does not require a specific value, select "Unspecified." The format will adjust the Name Format Value.

    6. Name Format Value: This value will adjust based on the Name Format Friendly Name selected.

  10. The next tab is the Name ID Tab. A SAML Assertion may contain 0 or 1 Name ID attribute and 0 or more non-Name ID attributes. Name ID attributes will typically provide information about the format of the value. The Relying Party must specify any requirements that may exist for the Name Format.

    nameid_attributes.png
  11. Click Add Name ID Attribute+. Name ID attributes are typically used to convey the "primary identifying attribute" about the user to the Relying Party. Often times, this will be the user's email address, but ultimately it's up to the Relying Party to communicate what value is expected, if any, and define the format, etc.

    create_name_id_attribute.png
    1. LDAP Attribute: Enter the name of the LDAP Attribute

    2. Name Format Friendly Name: Select the format value type to be used for the Name ID Value. Name ID Formats are typically URIs which convey information to the Relying Party of what format the attribute takes. Depending upon the requirements of the Relying Party, a certain value may or may not be required.

      nameidname_format_friendly_name.png
      1. Unspecified: Allows a free from entry (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified)

      2. Email Address: Uses the email format ( (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)

      3. X.509 Subject Name: Uses the subject name of the X509 Certificate (urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName)

      4. Windows Domain Qualified Name: Uses the FQDN of the hostname and domain name (urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName)

      5. Kerberos Principal Name: Uses the Principal Name to identify the user or service (urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos)

      6. Entity Identifier: Uses a URI is a URL that contains the domain name of the entity (urn:oasis:names:tc:SAML:2.0:nameid-format:entity)

      7. Persistent Identifier: Reliably points to a digital entity as an identifier to build trusted connections (Directsurn:oasis:names:tc:SAML:2.0:nameid-format:persistent)

      8. Transient Identifier: An identifier intended to be used for a single session only (urn:oasis:names:tc:SAML:2.0:nameid-format:transient)

      9. Custom Name Format: The drop-down contains some common Name Format values, but if the required value is not present in the list of available values, choose the Custom Name Format option and provide a custom value. If the Relying Party does not require a specific value, select "Unspecified. "The format will adjust the Name Format Value.

    3. Name Format Value: This value will adjust based on the Name Format Friendly Name selected.

  12. The last tab is the Static Name ID tab. Static Name ID Attributes are like Static Attributes, except they define the value of the Name ID Attribute in the SAML Assertion.

    static_name_id_attributes.png
  13. Click Add Static Name ID Attribute+.

    create_static_id_attribute.png
    1. Values: Enter a Name ID Attribute

      1. Click +Add Another Value to enter multiple acceptable values

    2. Resolvable: Allows the static value to contain tokens which can be resolved to real value(s) at the time the SAML Assertion is being generated.

      1. For example, If two Static attributes exist, first being "givenname" that contains a user's first name and the second "sn" which contains a user's surname, then a third attribute can be generated representing the first two attributes. The Relying Party could request that the Identity Provider release an attribute called "name" containing the surname followed by a comma and space, then by the first name. This could be accomplished with a "Resolvable" static attribute where the value is defined as "%sn%, %givenName%."

    3. Name Format Friendly Name: Select the format value type to be used for the Static Name ID Value. SAML, Static Name ID Formats are typically URIs which convey information to the Relying Party of what format the attribute takes. Depending upon the requirements of the Relying Party, a certain value may or may not be required.

      nameidname_format_friendly_name.png
      1. Unspecified: Allows a free from entry (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified)

      2. Email Address: Uses the email format (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)

      3. X.509 Subject Name: Uses the subject name of the X509 Certificate (urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName)

      4. Windows Domain Qualified Name: Uses the FQDN of the hostname and domain name (urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName)

      5. Kerberos Principal Name: Uses the Principal Name to identify the user or service (urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos)

      6. Entity Identifier: Uses a URI is a URL that contains the domain name of the entity (urn:oasis:names:tc:SAML:2.0:nameid-format:entity)

      7. Persistent Identifier: Reliably points to a digital entity as an identifier to build trusted connections (Directsurn:oasis:names:tc:SAML:2.0:nameid-format:persistent)

      8. Custom Name Format: If the provided common values in the drop-down do not provide the correct format choose "Custom Name Format". If the Relying Party does not require a specific value, select "Unspecified."The format will adjust the Name Format Value.

    4. Name Format Value: This value will adjust and populate based on the Name Format Friendly Name selected.