4.1 Configuring Attribute Sets
Attributes you specify on the Identity Server are used in attribute requests and responses, depending on whether you are configuring a service provider (request) or identity provider (response). Attribute sets provide a common naming scheme used in the exchange. For example, an attribute set can map the Liberty attribute FN (first name) to the equivalent remote name used at the service provider, which might be Name.
Attributes also can be defined and used in policy enforcement. They can be attributes defined by the Web Service Profiles, or customized attributes that can be mapped into SAML attributes. You also map user attributes so that the Identity Server can accept them from SAML.
To create and configure an attribute set:
-
In the Administration Console, click > > > > .
-
Specify a name for identifying the attribute set, then click .
You can select an existing attribute set that you have created, which you can use as a template for the new set.
-
To create an attribute for the set, click .
-
Fill in the following fields:
Specify the attribute. Select from the following:
-
Local Attribute: Select an attribute from the drop-down list of all server profile, LDAP, and shared secret attributes. As an example, you can select to use in role policies, which enables trusted providers to send role information in authentication assertions. Customizable attributes can be created and displayed in this list. Share secret attributes must be created before they can be added to an attribute set. For instructions, see Section 4.4.1, Creating Shared Secret Names.
-
Constant: Specify a value that is constant for all users of this attribute set. The name of the attribute that is associated with this value is specified in the field.
Remote Attribute: Specify the name of the attribute defined at the external provider. The text for this field is case sensitive.
-
A value is optional if you are mapping a local attribute. If you leave this field blank, the system sends an internal value that is recognized between Identity Servers.
For a SAML 1.1 identity consumer (service provider), a name identifier received in an assertion is automatically given a remote attribute name of saml:NameIdentifier. This allows the name identifier to be mapped to a profile attribute that can then be used in policy definitions.
-
A value is required if you are mapping a constant.
An attribute set with a constant is usually set up when the Identity Server is acting as an identity provider for a SAML or Liberty service provider. The name must match the attribute name that the service provider is using.
Remote namespace: Specify the namespace defined for the attribute by the remote system:
-
If you are defining an attribute set for LDAP, select none. If you want a service provider to accept any namespace specified by an identity provider, select none. If you want an identity provider to use a default namespace, select none. The urn:oasis:names:tc:SAML:1.0:assertion value is sent as the default.
-
If you are defining an attribute set for CardSpace, select the following:
http://schema.xml/soap.org/ws/2005/05/identity/claims
-
If you are defining an attribute set for WS Federation, select the radial button by the text box, then specify the following name in the text box.
http://schemas.xmlsoap.org/claims
-
If you want to specify a new namespace, select the radial button by the text box, then specify the name in the text box.
-
-
Click .
The system displays the map settings on the Define Attributes page, as shown below:
You can continue adding as many attributes as you need.
-
Click after you created the map.
The system displays the map on the Attribute Sets page, as well as indicating whether it is in use by a provider. (See Section 5.4.3, Selecting Attributes for a Trusted Provider.)
