SAML Attributes
The Payload of Trust
Section titled “The Payload of Trust”SAML Attributes are the core data units carried within an Authentication Statement. While the SAML Assertion proves that a user has authenticated, the Attributes explain who that user is and what properties they possess. These attributes—ranging from basic identifiers like email and employee number to complex organizational roles—are transported in the <AttributeStatement> block. Because SAML is an enterprise-centric protocol, these attributes are often mapped directly from authoritative sources like LDAP or Active Directory, providing the Service Provider (SP) with the necessary context to enforce fine-grained access control and personalize the user experience.
The Attribute Strategic Matrix
Section titled “The Attribute Strategic Matrix”Properly formatting SAML attributes is critical for interoperability between different IdPs and SPs.
Strategic Format Comparison
Section titled “Strategic Format Comparison”| Format (NameFormat) | Strategic Purpose | Ecosystem | Recommended For |
|---|---|---|---|
| URI | Machine-readable, unique identifiers. | Modern / Cloud. | urn:oid:0.9.2342... |
| Basic | Human-readable, simple strings. | Legacy / Custom. | email, memberOf. |
| Unspecified | Flexible placeholder. | Ad-hoc / Internal. | Quick prototyping. |
| Microsoft Claims | Specific to Windows environments. | Azure AD / AD FS. | http://schemas.xmlsoap... |
The Attribute Packaging Journey
Section titled “The Attribute Packaging Journey”Attributes are pulled from a directory, transformed for the SP, and signed into the final assertion.
graph LR
Source[Active Directory] --> Map[Attribute Mapper]
Map --> Filter[Privacy Filter]
Filter --> XML[Create <Attribute>]
XML --> Sign[Apply IdP Signature]
Sign --> Deliver[ACS Delivery]
Extraction & Mapping
The Identity Provider retrieves user data from an authoritative source (e.g., LDAP). It then applies a "Mapping" rule to translate internal fields like `sAMAccountName` into the standard attribute names expected by the SP (e.g., `uid`).
Privacy Filtering
Not every attribute should be shared with every application. The IdP applies a "Release Policy" to ensure that sensitive data (like home addresses) is filtered out, delivering only the "Minimum Necessary" attributes for the specific SP.
XML Encapsulation
The attributes are wrapped in `
Technical Attribute Implementation
Section titled “Technical Attribute Implementation”SAML attributes are defined by their Name, an optional FriendlyName, and their NameFormat.
XML Attribute Payload (Example)
Section titled “XML Attribute Payload (Example)”<saml:AttributeStatement> <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>user@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue>CN=Sales,OU=Groups,DC=example,DC=com</saml:AttributeValue> <saml:AttributeValue>CN=WestCoast,OU=Groups,DC=example,DC=com</saml:AttributeValue> </saml:Attribute></saml:AttributeStatement>SAML Implementation Guides
Section titled “SAML Implementation Guides”Master the technical details of managing identity data across the enterprise federation.
SAML Overview
Strategic foundational principles for enterprise identity federation and SSO.
Assertion Anatomy
Understanding how Attribute Statements fit into the larger security assertion context.
Claims Mapping
Patterns for harmonizing attributes from multiple IdPs into a single application schema.
Provisioning Mapping
Using SAML attributes to drive Just-in-Time (JIT) user creation in SaaS apps.
Next Steps
Section titled “Next Steps”- Explore Standard Attribute Sets for common interoperability profiles (e.g., EduPerson).
- Review Attribute Encryption for protecting sensitive data from browser exposure.
- Check SAML Attribute Troubleshooting for debugging common naming and format errors.