3.2 Configure Shibboleth SP - attribute-map.xml

The configuration file attribute-map.xml tells the Shibboleth software which attribute types exists in a federation and how to decode and present that information to applications.

Within the SWAMID community we have defined an SWAMID standard attribute-map.xml for Shibboleth Service Provider v2 och v3. This attribute-map.xml is more extensive than the attribute-map.xml that is part of the distribution. Please replace the installed attribute-map.xml with the file that is available on this page.

Important information

Please note that every attribute in attribute-map.xml with result in a header sent to backend if ShibUseHeaders is enabled (two if metadataAttributePrefix is defined). If you get too many, remove unused attributes from attribute-map.xml or modify backend header limits (LimitRequestFields/LimitRequestFieldSize in Apache HTTPD Server, maxHeaderCount/maxHttpHeaderSize in Apache Tomcat Connectors).

The latest published SWAMID example attribute map for Shibboleth Service Provider 3 is published at mds.swamid.se/entity-configurations/Shibboleth-SP/v3/. Below is the latest version included from the publication repository.

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!--
    SWAMID standard attribute-map.xml for SAML 2.0
    ==============================================
    The mappings are agreed to within the Shibboleth community or directly LDAP attribute names.

    Version: 2023-10-18

    REMEMBER to notify SWAMID saml-admins list when updating this file!
    -->

    <!-- New standard identifier attributes for SAML. -->
    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <!-- Swedish -->
    <Attribute name="urn:oid:1.2.752.29.4.13" id="personalIdentityNumber"/>

    <!-- A persistent id attribute that supports personalized anonymous access. -->
    <!-- First, the eduPerson version with OID-style name: -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute>
    <!-- Second, the SAML 2.0 NameID Format: -->
    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute>

    <!-- eduPerson attributes until version 201602 -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" id="prior-eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" id="unique-id"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" id="orcid"/>

    <!-- eduMember attributes until version 200507 -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>

    <!-- eduCourse attributes until version 200507 -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>

    <!-- Attributes from the Nordic LDAP schema norEdu* until version 1.6 -->
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.10" id="norEduPersonLegalName"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.5" id="norEduPersonNIN"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.4" id="norEduPersonLIN"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.6" id="norEduOrgAcronym"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.3" id="norEduPersonBirthDate"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.13" id="norEduPersonServiceAuthnLevel"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.14" id="norEduPersonAuthnMethod"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.7" id="norEduOrgUniqueIdentifier"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.8" id="norEduOrgUnitUniqueIdentifier"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.12" id="norEduOrgNIN"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.1" id="norEduOrgUniqueNumber"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.2" id="norEduOrgUnitUniqueNumber"/>

    <!-- Attributes from the European SCHema for ACademia (SCHAC) until version 1.5.0 -->
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.1" id="schacMotherTongue"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.2" id="schacGender"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.3" id="schacDateOfBirth"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.4" id="schacPlaceOfBirth"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.5" id="schacCountryOfCitizenship"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.6" id="schacSn1"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.7" id="schacSn2"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.8" id="schacPersonalTitle"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.11" id="schacCountryOfResidence"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.12" id="schacUserPresenceID"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.13" id="schacPersonalPosition"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.17" id="schacExpiryDate"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.18" id="schacUserPrivateAttribute"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole"/>

    <!-- Attributes from the late Swedish Alliance for Middleware Infrastructure (SWAMI) -->
    <!-- GMAI authorization tuples, mostly sent as eduPersonEntitlement (entitlement above) -->
    <Attribute name="urn:oid:1.2.752.104.2.3.1" id="swamiGmaiAssertion"/>
    <!-- Unique identifier for billing recipients -->
    <Attribute name="urn:oid:1.2.752.104.3.1.1" id="swamiBillingIdentifier"/>
    <!-- Identifying a recipient of a monetary transfer within a single financials system -->
    <Attribute name="urn:oid:1.2.752.104.3.1.2" id="swamiCostCenterIdentifier"/>

    <!-- Attribute to extract SWAMID Assurance Profiles -->
    <Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/>

    <!-- Examples of standard LDAP-based attributes -->
    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
    <Attribute name="urn:oid:2.5.4.12" id="title"/>
    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
    <Attribute name="urn:oid:2.5.4.13" id="description"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.13" id="mailLocalAddress"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
    <Attribute name="urn:oid:2.5.4.9" id="street"/>
    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
    <Attribute name="urn:oid:2.5.4.8" id="st"/>
    <Attribute name="urn:oid:2.5.4.7" id="l"/>
    <Attribute name="urn:oid:2.5.4.10" id="o"/>
    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.43" id="friendlyCountryName"/>
    <Attribute name="urn:oid:2.5.4.6" id="countryName"/>

</Attributes>