SAML Attribute Value Provider Procedures#

SAML Attribute value provider script procedures are used to provide attribute values during SAML assertion issuance.

A SAML attribute value provider script must contain a result function. This function has a single context parameter of type SamlAttributesProviderProcedureContext. In addition to the context parameter, the function also has access to the common procedure API .

The result function must return a JavaScript object with the attributes that will be used to compute the final attribute value, as defined in Attribute Value Providers .

Example#

The following script exemplifies a SAML attribute value provider procedure that uses user attributes to compute the output attributes

/**
 * @param {se.curity.identityserver.procedures.samlattributes.SamlAttributesProviderProcedureContext} context
 */
function result(context) {

  // Read the role and region from the user account
  var dataSource = context.getAttributeDataSource();
  var dataSourceAttributes = dataSource.getAttributes(context.subjectAttributes.subject);
  var account = dataSourceAttributes.getRow(0);
  var accountAttributes = JSON.parse(account.attributes);
  if (!accountAttributes) {
    return {};
  }

  return {
    region: accountAttributes.region || '',
  }
}

Reading the original SAML SSO Request query parameters#

When a SAML Service Provider includes ad-hoc query parameters next to the SAMLRequest on the IdP-initiated SSO endpoint (for example https://idsvr/samlidpep/sso?SAMLRequest=…&referenceId=abc-123&region=eu-west), the script can read those parameters from the context. Two equivalent APIs are available:

  • context.getRequest().getQueryParameter('name') — returns the value of a single query parameter from the request.
  • context.getOriginalQueryParameters() — returns a ScriptQueryParameterCollection containing all parameters from the original SAML authentication request.

Both reflect the original /sso request, even though the user is bounced back via an autopost form after authentication.

/**
 * @param {se.curity.identityserver.procedures.samlattributes.SamlAttributesProviderProcedureContext} context
 */
function result(context) {
  return {
    referenceId: context.getRequest().getQueryParameter('referenceId'),
    region: context.getOriginalQueryParameters().get('region'),
  };
}

Configuration#

To configure a SAML attribute value provider script procedure:

  • First, create the script procedure as documented in Scripting .
  • Then, follow the instructions at Script Attribute Provider to start using the previous script in a SAML attribute value provider.

Was this helpful?