Overview

Attribute release by the Cirrus Gateway is designed to be as privacy-preserving as possible. By this we mean that, the Gateway will only release attributes to the Service Provider (SP) which are actually requested by the Service Provider. In order to accomplish this, the Gateway looks for a list of attributes in the SP's metadata. These attributes are listed in the AttributeConsumingService section of the metadata. If the Gateway finds attributes in this list (that the gateway itself releases, like givenName and sn), it will release them to the SP (provided that the social provider also releases them). If there are no attributes listed in the SP's metadata, i.e., theAttributeConsumingService section does not exist, then the Gateway will release all attributes which are given to the Gateway by the social provider, and which we have documented in Attribute Mappings.

Configuring Attributes to Release

As mentioned above, the Gateway looks for the AttributeConsumingService section in the SP's metadata to determine which attributes to release. The code below shows what this looks like if you want to have givenNamesnmail, andeduPersonPrincipalName released to your SP by the Gateway:  

<SPSSODescriptor>
    ....
    <AttributeConsumingService index="1" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <RequestedAttribute FriendlyName="givenName" 
          Name="urn:oid:2.5.4.42" 
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
        <RequestedAttribute FriendlyName="sn" 
          Name="urn:oid:2.5.4.4"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
        <RequestedAttribute FriendlyName="mail" 
          Name="urn:oid:0.9.2342.19200300.100.1.3"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
        <RequestedAttribute FriendlyName="eduPersonPrincipalName" 
          Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
    </AttributeConsumingService>
</SPSSODescriptor>

 

Set Attributes in the InCommon Federation Manager

If you are a member of the InCommon Federation, then you can (and, in fact, must) set the attributes to release using the InCommon Federation Manager (FM). (If you do not have access to the InCommon FM, and you are not sure whom to contact, you can look up the contact information for your organization on the InCommon Service Categories page.)

The image below shows the "Requested Attributes" (see red arrow) section of the Service Provider configuration page in the InCommon Federation Manager application. In the image, we have already selected the four attributes we want, and are displaying the popup list which shows other available attributes to select (but note, the Cirrus Gateway does not necessarily support them).