• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates
• Spam protection

SAML 1 Attribute Push Relying Party

In the SWITCHaai and AAI Test metadata files there is a EntitiesDescriptor element that includes multiple EntityDescriptor elements. This EntitiesDescriptor stands for relying party that usually contains one or more Service Providers. The relying party's (and thus also the EntitiesDescriptor's) name corresponds to the URL https://www.switch.ch/aai/SAML1/Attribute-Push, which points to this web page.
As the URL suggests, this so called "attribute push relying party" can be used together with the below configuration snippet to tell a SAML 1 Identity Provider to push the user's attributes to all Service Providers within this relying party as depicted in the orange box of the illustration.
So, there is no need for them to open a separate backchannel request anymore for a separate attribute request. Therefore, this is an alternative way of transmitting the attributes in comparison to the default SAML 1 attribute pull method (top illustration), where a Service Provider opens a SSL protected back channel connection to the Identity Provider to pull the attributes from.

Attribute Push has the benefits of being more reliable, more compatible and faster. Provided the Service Provider's assertion consumer URL is accessed over https, the pushed attributes should be safe from third parties. However, since the attributes are not encrypted, malicous code on the user's computer as well as the user himself could in theory read the transmitted attributes. Therefore, the security and data privacy is slightly lower than with attribute pull.

The use of this relying party thus is generally recommended for Service Providers that request only non-personal data like the affiliation, Home Organization, Home Organization type and possibly the unique ID.

In order for an Identity Provider to make use of the Attribute Push method for all Service Providers within the https://www.switch.ch/aai/SAML1/Attribute-Push EntitiesDescriptor, one has to add the following lines to its idp.xml file, leaving everything as is except for the signingCredential and nameMapping if they differ in your configuration:

<RelyingParty 
  name="https://www.switch.ch/aai/SAML1/Attribute-Push"
  signingCredential="switchaai_cred"
  defaultToPOSTProfile="true"
  forceAttributePush="true">
    <!-- (signingCredential) must correspond to a <Credential/> element below -->
    <NameID nameMapping="shm"/>
    <!-- (nameMapping) must correspond to a <NameMapping/> element below -->
</RelyingParty>

All that these lines do, is to make the Identity Provider use Attribute Push for all Service Providers that are contained in the Relying Party https://www.switch.ch/aai/SAML1/Attribute-Push. Unless there is not an EntitiesDescriptor element in the metadata with the same name, this doesn't have any effect.
Make sure that the values of the signingCredential and the nameMapping attribute correspond to the ones of the already existing RelyingParty element in your configuration file.

Testing the Attribute Push

The easiest way to make sure that the attribute push is working goes as follows:

1. Access a resource that is listed in the https://www.switch.ch/aai/SAML1/Attribute-Push EntitiesDescriptor element of the SWITCHaai or AAI Test metadata, e.g. go to the ScienceDirect web page or EBSCO, choose "Other Institutions login", choose "SWITCHaai" and click on the link of your university. In the case of EBSCO first choose "Swiss Higher Education" and the the name of your Home Organization.
2. Authenticate at your organization
3. In the Identity Provider shib-error.log, check if there is a line saying Resolving attributes for push. If there is, it worked.
   If you instead see Processing SAML v1.1 Attribute Query request for your request, then it doesn't work because there shouldn't be an attribute request anymore. In case you don't see the line Resolving attributes for push, you may want to temporarily increase the Identity Provider log level to DEBUG. But don't forget to set it back to WARN or INFO after the test.