Attribute releases

By default IdP will only release required Attributes defined in each SP metadata (isRequired=True or EntityCategories), if they are available. Otherwise the IdP will release a default attribute set, defined in settings parameters. It can also force some attribute release by checking force_attribute_release into each SP configuration.

Every SP can use a specific Attribute Processor, you can even customize a brand new one in an application that can be easily installed into django_idp.settingslocal.INSTALLED_APPS. You can see how these processors works simply looking at uniauth_saml2_idp.base.processors and uniauth_saml2_idp.ldap.processors.

The Attribute Processor can fetch data from third-party sources and manipulate attributes as well.

There also a special class named NameIdBuilder, the nameID policy relies on it, it should be very easy to inherit and customize as needed.

In every processors there’s a special method called extra_attr_processing where to put additional conditions and values processing. See idp.processors.LdapUnicalAcademiaProcessor for an example of inheritance with the use of this method.

Entity Categories

Entity Categories is handled as it come from pySAML2. In the django_idp.idp_pysaml2 we can define entity_category_support or entity_category as follow

SAML_IDP_CONFIG = {
    'debug' : True,
    'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin/xmlsec1']),
    'entityid': '%s/metadata' % BASE_URL,
    'attribute_map_dir': 'data/attribute-maps',
    'description': 'SAML2 IDP',

    'entity_category': [edugain.COCO, # "http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
                        refeds.RESEARCH_AND_SCHOLARSHIP],

    'service': {

The previous configuration will expose Entity Categories in the IDP metadata. If we need also to handle these as policy, to manage these as restrictions on attribute release, we could define them in SAML_IDP_CONFIG['service']['idp']['policy']

"policy": {
    "default": {
        "lifetime": {"minutes": 15},
        "name_form": NAME_FORMAT_URI,
        # if the sp are not conform to entity_categories (in our metadata)
        # the attributes will not be released
        # "entity_categories": ["refeds",],
    },

    # attributes will be released only if this SP have
    # edugain entity_category definition in its metadata.
    "https://sp1.testunical.it/saml2/metadata/": {
        "entity_categories": ["edugain"]
    }

}

Name ID Format

This uniAuth release only supports these Name ID formats:

  • NAMEID_FORMAT_UNSPECIFIED

  • NAMEID_FORMAT_TRANSIENT

  • NAMEID_FORMAT_PERSISTENT

  • NAMEID_FORMAT_EMAILADDRESS

See uniauth_saml2_idp.base.processors.NameIdBuilder if you need to implement other formats, it’s trivial.