Attribute Sets were introduced in IDHub 9.2 to support SAML's AttributeConsumingServices.
They group one or more User Attributes, which can be requested from an IDP. This allows the Service Provider to request only specific attributes instead of getting the full list of attributes, which may raise some privacy concerns.
An attribute can be added to multiple Attribute Sets.
Click the "Add Attribute Set" button in the top-right to create a new Attribute Set.
Note: if you change an Attribute Set which is already in use, the metadata that is provided to the IDP(s) should be updated and re-submitted.
Creating an Attribute Set
Name: provide a name which describes the Attribute Set.
Add all the attributes that belong in this Attribute Set.
Once an attribute is added, it can also be removed from the Attribute Set.
Using Attribute Sets
Currently you can configure the usage of Attribute Sets on the following locations:
- Service Provider: Type Proxy
Determines the Attributes that are requested by the Service Provider. Because it's a Proxy SP, there is no protocol that defines how to request the attributes, so instead of requesting
This only is applied if the Identity Provider uses SAML, and supports AttributeConsumingServices
- Identity Provider: Type SAML2
Configure the different AttributeConsumingService indexes. Each index defines which attributes will be requested from the IDP.