The SAML IDP Service allows you to configure attributes and attribute groups that can be included in the SAML assertions sent to Service Providers. This configuration is essential for providing the necessary user information to the Service Providers during the authentication process.
Attributes are named values, where the name is the attribute name and the value is provided by an Attribute Value Provider.
An Attribute Group exists to be able to manage attributes more easily. An Attribute Group is a collection of attribute names that can be selected as a whole. Other than managing attribute names, an Attribute Group does not do anything else.
To establish the value for an attribute, an Attribute Value Provider is used. The attribute provider is asked to resolve the so called input attributes for the attribute. This input attribute or input attributes makes up the value of the configured attribute.
input attributes
input attribute
Note
The current version of the Curity Identity Server does not yet support transformation procedures where the input attributes that are resolved by an Attribute Value Provider can be transformed in the value for the attribute that is included in the SAML assertion. This feature is expected to be added in a future release of the Curity Identity Server.
As the current version of the Curity Identity Server does not yet support transformation procedures, it is suggested that only one input attribute is configured to establish the value that is used for the attribute in the assertion. In case multiple values are resolved for the input attributes, the assertion will contain a multi-valued attribute, which is perfectly valid but might not be the intended result. Finer control over this will be provided with the transformation procedures in a future release of the Curity Identity Server.
An Attribute Value Provider is a component that provides the value for an attribute. When resolving the value of an attribute, one or more input attributes (which are attribute _names_) are passed to the Attribute Value Provider, which then returns the value or values for these input attributes with these names.
Future versions of the Curity Identity Server will support the transformation procedure to process the values of the resolved input attributes before returning the value for the attribute. This will allow for more complex transformations and manipulations of the attribute values.
The current version of the Curity Identity Server ships with a limited number of Attribute Value Providers. More Attribute Value Providers will be added in future releases to support additional use cases and requirements.