turning on ignoreUnmappedEntityAttributes

Cantor, Scott cantor.2 at osu.edu
Wed Aug 11 17:02:10 UTC 2021

"Mapped" means "has a transcoding/decoding rule to turn the SAML Attribute into an IdPAttribute".

Ignoring unmapped attributes means that it doesn't try to walk the XML and match on SAML names. It only evaluates pre-mapped, cached, decoded IdPAttributes that are stashed internally in hash maps along with the metadata objects for optimization.

The code that does the decoding will look for actual decoding rules in the registry service and if it doesn't find any, it will auto-decode anything that's got the URI NameFormat by creating a mapped IdPAttribute with the name matching the original URI name. This is "safe" because it assumes that if the format is a URI then it is unique and safe to decode without unintended collisions.

So in short, anything without the right NameFormat is ignored unless you define a transcoding rule for it.

In shorter short, always use NameFormat="...URI" and the IdP is happy. All the other values were dumb and never should have existed to begin with.

-- Scott

More information about the users mailing list