You are located in service: Identity Management

Requesting and Changing Attributes

Requesting and Changing Attributes

On this page you will find information on how to request attributes and customize them with your Shibboleth service provider module for the applications to be protected.

  1. Joining an entity category with the service provider
  2. Requesting attributes via the service provider metadata
  3. Requesting pairwise-id
  4. Changing attributes

Joining an entity category with the service provider

For a local service provider to be able to consume the standard released attributes from, it must belong to the entity category

For this purpose, the following must be entered in the metadata of the service provider in the <Extensions> area:

<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<!-- ... -->
     <saml:Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

Requesting attributes via the service provider metadata

If the service provider now wants to use one of the attributes recommended by for general release, its configuration in the  <SPSSODescriptor></<SPSSODescriptor>  must include the following:

<md:AttributeConsumingService index="1" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

  <md:ServiceName xml:lang="en">SP Name</md:ServiceName>

  <md:ServiceName xml:lang="de">SP Name</md:ServiceName>

  <md:ServiceDescription xml:lang="en">SP Description</md:ServiceDescription>

  <md:ServiceDescription xml:lang="de">SP Beschreibung</md:ServiceDescription>

  <md:RequestedAttribute FriendlyName="eduPersonEntitlement" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

  <md:RequestedAttribute FriendlyName="sn" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

  <md:RequestedAttribute FriendlyName="givenName" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

  <md:RequestedAttribute FriendlyName="idmNrwDocumentSurname" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

  <md:RequestedAttribute FriendlyName="idmNrwDocumentGivenName" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

  <md:RequestedAttribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

  <md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

  <md:RequestedAttribute FriendlyName="schacHomeOrganizationType" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>


Requesting pairwise-id

If the service provider requires the pairwise-id, the metadata extensions must be adapted:



    <saml:Attribute Name="urn:oasis:names:tc:SAML:profiles:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">





Changing attributes

If you want to change an attribute on the service provider side to meet your own needs, you can use "TransformAttributeResolver" for this purpose.

The "Transform" uses the Shared Library For this reason, an additional entry should be made in /etc/shibboleth/shibboleth2.xml:

<OutOfProcess logger="shibd.logger">


    <Library path=""/>



Example: Dividing displayName into the first and last name

For this purpose, a correspondent resolver is to be configured in /etc/shibboleth/shibboleth2.xml:

<AttributeResolver type="Transform" source="displayName">

    <Regex match="^(.+) (.+)$" dest="givenName">$1</Regex>

    <Regex match="^(.+) (.+)$" dest="sn">$2</Regex>

    <Regex match="^(.+) (.+)$">$2, $1</Regex>


Here, the attribute "displayName" is divided into two addinional attributes, namely "givenName" and "sn", on the one  hand, and on the other hand, the display name is assigned the format "last name, firstname". For this purpose, a Regex is defined (here: two Redx groups) and the matches are extracted correspondently.

Example: extracting eduPersonTargetedID

Another example is the attribute "eduPersonTargetedID":

<AttributeResolver type="Transform" source="persistent-id>

    <Regex match="^\!https://mein.sp/shibboleth\!(.+)$" dest="uniqueID">$1</Regex>



<AttributeResolver type="Transform" source="persistent-id">

    <Regex match="^(.+)!(.+)!(.+)$" dest="uniqueID">$3</Regex>


In both examples, the 64 symbol string is extracted out of eduPersonTargetedID and is written into the field "uniqueID".

In the latter example:

  • $1 of IdP, who provides eduPersonTargetedID 
  • $2 of SP, who consumes eduPersonTargetedID
  • $3 the 64 symbol long, per SP defined, ID

Example: removing a part of a string (here orgID out of eduPersonEntitlements such as a role string)

If you want to remove a part of the string because the application cannot handle it, you can transform the attribute as follows:

<AttributeResolver type="Transform" source="eduPersonEntitlement">

    <Regex match="^(.+):(orgid=.+)$" dest="entitlement">$1</Regex>


In this case in $1, the old entitlement is saved in "entitlement". In $2, the orgID is available.

last changed on 12/19/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License