metadata-driven attribute definition

Peter Schober peter.schober at
Sun Jul 14 08:28:22 EDT 2019

* Joshua Dachman <jdachman at> [2019-07-14 06:46]:
> I would like to have a block in the sp metadata that does the same
> thing (defines a mapping between the LDAP attribute name and the
> name of the attribute that will be sent in the SAML assertion /
> response).

I don't follow. The attribute names in metadata should be abstract in
the sense that they're not software-, system-, or deployment specific.
They're unique and standardised to enable interoperability.

Therefore any "mapping" only happens when and where those standard
attribute names need to be connected to locally available/meaningful
data sources and data structures.

I.e., the on-the-wire and in-metadata attribute names are abstractions
from concrete data structures so that your (or mine) internal mess
stays internal.

Also, what's possible to express in SAML 2.0 Metadata is detailed in
its specification. Which is the short answer, I guess. (Feel free to
invent your own extension, though.)


More information about the users mailing list