• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates
• Spam protection

SAML 2 Attribute Pull Relying Party

The SWITCHaai and AAI Test metadata files contain a relying party with the ID that corresponds to the URL of this page https://www.switch.ch/aai/SAML2/Attribute-Pull. This relying party is to used to tell a SAML2 Identity Provider (Shibboleth 2) to make Service Providers within this relying party to pull attributes (orange box in illustration) for SAML2 instead of using the default attribute push method (bottom of illustration) with encrypted attributes.

When attributes are pulled by the Service Provider from the Identity Provider this has a slight benefit concerning the security because a separate back channel is used to fetch the attributes from and because this channel is mutually authenticated with SSL. The downside of this is a small delay for the additional connection and a slightly more complex transaction. However, since this is the default attribute transmission method for SAML 1, it is no rocket science either.

In order for an Identity Provider to make use of this method, it should add the following lines to its relying-party.xml file:

to be added...