Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following restrictions are placed on a SAML AttributeStatement used in the SAML assertion:
The SAML assertion MAY have one AttributeStatement.
The SAML assertion MAY have no AttributeStatement.
The SAML assertion MUST NOT have more than one AttributeStatement.
The AttributeStatement, if present, MUST have a Subject element.
The Subject element MUST match the Subject element in the AuthenticationStatement.
The Subject element MUST conform to the guidance of section 2.2.4.2.1.3.
The AttributeStatement, if present, MUST contain one or more Attribute elements, as specified in [SAMLCore] section 2.4.4.1. Each Attribute element encapsulates a name/value claim.
The Attribute element MUST have AttributeName and the corresponding AttributeNamespace attributes specified. These attributes are specified in [SAMLCore] section 2.4.4.1. The AttributeName attribute specifies the name of the claim, and one or more AttributeValue elements (specified in [SAMLCore] section 2.4.4.1.1) specify the value (or values) of the claim.<26>
All Attribute elements in the AttributeStatement SHOULD<27> have the namespace URL, http://schemas.xmlsoap.org/claims, for the AttributeNamespace attribute value.
For more information, an example of a SAML attribute can be found in section 4.2.2. Values for the AttributeName attribute that correspond to claims are specified in the abstract data model in section 3.