0

Is it part of the SAML2.0 specification to request which attribute name format you want for the SAML response?

So back from Office365 SAML2.0 I get

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
   <AttributeValue>email@mydomain.com</AttributeValue>
</Attribute>

Clearly the attribute name format seems to be NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

I want the name format to be (basic) NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

So that OFfice365 responds with the ff instead

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
   <AttributeValue>email@mydomain.com</AttributeValue>
</Attribute>

I know i can make these changes to the response on Office365 but i want to know if requesting such a response is a thing in SAML2.0

flexxxit
  • 2,440
  • 5
  • 42
  • 69

1 Answers1

0

Yes. you can find the documentation under Section 8.2 Attribute Name Format Identifiers of SAML v2.0 OASIS Standard.

8.2 Attribute Name Format Identifiers The following identifiers MAY be used in the NameFormat attribute defined on the AttributeType complex type to refer to the classification of the attribute name for purposes of interpreting the name.

8.2.1 Unspecified URI: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified The interpretation of the attribute name is left to individual implementations.

8.2.2 URI Reference URI: urn:oasis:names:tc:SAML:2.0:attrname-format:uri The attribute name follows the convention for URI references [RFC 2396], for example as used in XACML [XACML] attribute identifiers. The interpretation of the URI content or naming scheme is applicationspecific. See [SAMLProf] for attribute profiles that make use of this identifier.

8.2.3 Basic URI: urn:oasis:names:tc:SAML:2.0:attrname-format:basic The class of strings acceptable as the attribute name MUST be drawn from the set of values belonging to the primitive type xs:Name as defined in [Schema2] Section 3.3.6. See [SAMLProf] for attribute profiles that make use of this identifier.

Akshay G
  • 2,070
  • 1
  • 15
  • 33
  • so how do i enforce a particular nameFormat via the SAML Request? – flexxxit May 04 '22 at 20:01
  • You don’t enforce it via SAMLRequest. the time for you to request attributes with particular name format as the SP is when you send your metadata to the IdP. That metadata describes your service, to include the ACS endpoint, the public certificate that your AuthnRequests will be signed with, the certificate that you want your partner to encrypt with, the attributes that you require, your unique entity ID, etc.. – Akshay G May 06 '22 at 06:30