[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: proposed text for Section 4.5 "Use of Attributes"
(1) Remove Section 4.4.5 (2) Add a new section 4.5, "Use of Attributes" As explained in Section 2.2, the SAML assertion transferred from an identity provider to a service provider may include attributes describing the user. The ability to transfer attributes within an assertion is a powerful SAML feature and it may also be combined with the forms of identity federation described above. We describe some typical use patterns: 1. Transfer of profile information Attributes may be used to convey user profile information from the identity provider to the service provider.This information may be used to provide personalized services at the service provider, or, to augment or even create a new account for the user at the service provider. The user should be informed about the transfer of information, and, if required, user consent explicitly obtained. 2. Authorization based on attributes In this model, the attributes provided in the SAML assertion by the identity provider are used to authorize specific services at the service provider. The service provider and identity provider need prior agreement (out of band) on the attribute names and values included in the SAML assertion. An interesting use of this pattern which preserves user anonymity but allows for differential classes of service is found in Shibboleth [CITE]: federation using transient pseudonyms combined with authorization based on attributes.