Attribute Sets were introduced in IDHub 9.2 to support SAML's AttributeConsumingServices.
They group one or more User Attributes, which can be requested from an IDP. This allows the Service Provider to request only specific attributes instead of getting the full list of attributes, which may raise some privacy concerns.
An attribute can be added to multiple Attribute Sets.
Click the "Add Attribute Set" button in the top-right to create a new Attribute Set.
Note: if you change an Attribute Set which is already in use, the metadata that is provided to the IDP(s) should be updated and re-submitted.
Creating an Attribute Set
Name: provide a name which describes the Attribute Set.
User Interaction: Checking this will display this Attribute Set on the "Grant Consent" template. This means there is user interaction required to obtain consent. If this is not checked, consent will be granted implicitly (e.g. for non-privacy sensitive attributes).
Add all the attributes that belong in this Attribute Set.
Once an attribute is added, it can also be removed from the Attribute Set.
Using Attribute Sets
Currently you can configure the usage of Attribute Sets on the following locations:
- Service Provider: Type Proxy
- Attribute Set:
Determines the Attributes that are requested by the Service Provider. Because it's a Proxy SP, there is no protocol that defines how to request the attributes, so instead of requesting
This only is applied if the Identity Provider uses SAML, and supports AttributeConsumingServices
- Allowed Attribute Set:
When this is configured (in combination with Enforce Consent), this will verify that the user gives permission (Consent) for the Service Provider to receive its data.
- Attribute Set:
- Identity Provider: Type SAML2
Configure the different AttributeConsumingService indexes. Each index defines which attributes will be requested from the IDP.