Enable user attributes for SAML apps


# Enable user attributes for SAML apps

Asgardeo can share user attributes with applications. The following guide shows how to share user attributes with SAML applications.

# Prerequisite

The Enable Attribute Profile setting should be enabled for the application in Asgardeo.

# Configure user attributes to share

Follow the steps given below to configure the user attributes from the Asgardeo console and to share them with the application.

# Select user attributes

You need to first specify the user attributes required for an application. This ensures that when a user logs in, the application can only get access to the user information exposed through these attributes.

The user attributes are grouped by their specific scopes to ease the user attribute configuration process. You can add user attributes individually or all the attributes in the scope at once.

To add user attributes to the app:

  1. Go to the Asgardeo console (opens new window) and click Develop > Applications.

  2. Select your application and go to the User Attributes tab.

    Add user attributes in Asgardeo
  3. You can add user attributes using the following methods:

    • To add a group of user attributes, select the checkbox in front of the required scope.

      Add user attributes in Asgardeo
    • To add a single user attribute, expand the relevant scope and select the checkbox in front of the required user attributes.

      Add user attributes in Asgardeo
  4. Click Update once you are done.

# Map user attributes

In the user attribute configurations, you can either choose default attribute names or define application-specific user attribute names.

To configure application-specific attribute names, you need to map the selected user attributes to application-specific user attributes.

To perform mapping:

  1. Click Enable Mapping in the User Attributes section.

  2. Change the Mapped user attribute for the selected attribute.

    Eable mapping

This ensures that the application receives attributes based on the name that is configured.

# Define mandatory user attributes

You can configure the mandatory attributes that are essential for application functionalities. That is, when a user logs in, the user information linked to these attributes are required to be shared with the application.

If the user does not have this information entered in the user profile, the user will be prompted to enter the information during the login flow.

From the attributes that are enabled for the application in the Attributes tab, you can expand the scopes and select the attributes that are mandatory for the application:

Add mandatory user attributes in Asgardeo

# Select the subject attribute

The subject attribute is used for exchanging information about the user. The subject is represented by the subject attribute in the SAML assertion.

By default, Asgardeo shares username as the subject. You can define any user attribute as the subject.

To define a different attribute as the subject:

  1. Select it as a user attribute.

  2. Go to the Subject section under User Attributes.

    Select subject attribute in Asgardeo
  3. Select an attribute as the subject from the Subject attribute list.

  4. Click Update.

# How it works

Let's see how this flow works in Asgardeo.

Once you have configured the user attributes that are required for your application, Asgardeo implements the following process when a user tries to log in to your app.

Provides consent for attributes in Asgardeo

# Asgardeo checks for mandatory attributes

Asgardeo verifies whether the user's profile has values for all the mandatory attributes that are requested by the application. If there are missing values, Asgardeo will prompt the user to enter the missing values.

By default, Asgardeo requests the user's consent to share the user attributes with the application.

Learn more about managing user consent.

# Shares attributes with the app

Asgardeo will share these user attributes with an application given the user has provided consent. User attributes along with the subject attribute are shared via SAML assertions.

# Subject attribute

The subject attribute is shared via the <saml2:Subject> element based on the configured subject attribute.

A sample Subject element found in a SAML assertion is given below:

<saml2:Subject>
   <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
   <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData InResponseTo="immfmmacmiaomepphphhlfokfggpffkleokajfbg"
                                 NotOnOrAfter="2021-07-13T06:09:33.594Z"
                                 Recipient="http://localhost:8081/sample-app/home.jsp"
                                 />
   </saml2:SubjectConfirmation>

</saml2:Subject>
1
2
3
4
5
6
7
8
9
10

# Attribute statement

If the user gives consent to share attributes with the application, Asgardeo returns the requested user attributes via the <saml2:AttributeStatement> element

A sample attribute statement element found in a SAML assertion is given below:

<saml2:AttributeStatement>
        <saml2:Attribute Name="http://wso2.org/claims/country"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                         >
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xsd:string"
                                  >Sri Lanka</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="http://wso2.org/claims/emailaddress"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                         >
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xsd:string"
                                  >[email protected]</saml2:AttributeValue>
        </saml2:Attribute>
</saml2:AttributeStatement> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# Attribute statement with attribute mapping

If you have done any custom attribute mapping via the Enable mapping setting, the attributes will contain those application-specific names in the SAML assertion.

A sample attribute statement element with custom attribute mapping is given below:

<saml2:AttributeStatement>
            <saml2:Attribute Name="country"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >Sri Lanka</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="emailaddress"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >[email protected]</saml2:AttributeValue>
            </saml2:Attribute>
</saml2:AttributeStatement>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16