3.2 Configure Shibboleth SP - attribute-map.xml
The configuration file attribute-map.xml tells the Shibboleth software which attribute types exists in a federation and how to decode and present that information to applications.
Within the SWAMID community we have defined an SWAMID standard attribute-map.xml for Shibboleth Service Provider v2 och v3. This attribute-map.xml is more extensive than the attribute-map.xml that is part of the distribution. Please replace the installed attribute-map.xml with the file that is available on this page.
Important information
Please note that every attribute in attribute-map.xml with result in a header sent to backend if ShibUseHeaders is enabled (two if metadataAttributePrefix is defined). If you get too many, remove unused attributes from attribute-map.xml or modify backend header limits (LimitRequestFields/LimitRequestFieldSize in Apache HTTPD Server, maxHeaderCount/maxHttpHeaderSize in Apache Tomcat Connectors).
The latest published SWAMID example attribute map for Shibboleth Service Provider 3 is published at mds.swamid.se/entity-configurations/Shibboleth-SP/v3/. Below is the latest version included from the publication repository.
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- SWAMID standard attribute-map.xml for SAML 2.0 ============================================== The mappings are agreed to within the Shibboleth community or directly LDAP attribute names. Version: 2023-10-18 REMEMBER to notify SWAMID saml-admins list when updating this file! --> <!-- New standard identifier attributes for SAML. --> <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <!-- Swedish --> <Attribute name="urn:oid:1.2.752.29.4.13" id="personalIdentityNumber"/> <!-- A persistent id attribute that supports personalized anonymous access. --> <!-- First, the eduPerson version with OID-style name: --> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id"> <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> </Attribute> <!-- Second, the SAML 2.0 NameID Format: --> <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id"> <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> </Attribute> <!-- eduPerson attributes until version 201602 --> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" id="prior-eppn"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation"> <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" id="unique-id"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" id="orcid"/> <!-- eduMember attributes until version 200507 --> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/> <!-- eduCourse attributes until version 200507 --> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/> <!-- Attributes from the Nordic LDAP schema norEdu* until version 1.6 --> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.10" id="norEduPersonLegalName"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.5" id="norEduPersonNIN"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.4" id="norEduPersonLIN"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.6" id="norEduOrgAcronym"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.3" id="norEduPersonBirthDate"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.13" id="norEduPersonServiceAuthnLevel"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.14" id="norEduPersonAuthnMethod"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.7" id="norEduOrgUniqueIdentifier"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.8" id="norEduOrgUnitUniqueIdentifier"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.12" id="norEduOrgNIN"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.1" id="norEduOrgUniqueNumber"/> <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.2" id="norEduOrgUnitUniqueNumber"/> <!-- Attributes from the European SCHema for ACademia (SCHAC) until version 1.5.0 --> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.1" id="schacMotherTongue"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.2" id="schacGender"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.3" id="schacDateOfBirth"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.4" id="schacPlaceOfBirth"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.5" id="schacCountryOfCitizenship"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.6" id="schacSn1"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.7" id="schacSn2"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.8" id="schacPersonalTitle"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.11" id="schacCountryOfResidence"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.12" id="schacUserPresenceID"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.13" id="schacPersonalPosition"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.17" id="schacExpiryDate"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.18" id="schacUserPrivateAttribute"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership"/> <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole"/> <!-- Attributes from the late Swedish Alliance for Middleware Infrastructure (SWAMI) --> <!-- GMAI authorization tuples, mostly sent as eduPersonEntitlement (entitlement above) --> <Attribute name="urn:oid:1.2.752.104.2.3.1" id="swamiGmaiAssertion"/> <!-- Unique identifier for billing recipients --> <Attribute name="urn:oid:1.2.752.104.3.1.1" id="swamiBillingIdentifier"/> <!-- Identifying a recipient of a monetary transfer within a single financials system --> <Attribute name="urn:oid:1.2.752.104.3.1.2" id="swamiCostCenterIdentifier"/> <!-- Attribute to extract SWAMID Assurance Profiles --> <Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/> <!-- Examples of standard LDAP-based attributes --> <Attribute name="urn:oid:2.5.4.3" id="cn"/> <Attribute name="urn:oid:2.5.4.4" id="sn"/> <Attribute name="urn:oid:2.5.4.42" id="givenName"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/> <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/> <Attribute name="urn:oid:2.5.4.12" id="title"/> <Attribute name="urn:oid:2.5.4.43" id="initials"/> <Attribute name="urn:oid:2.5.4.13" id="description"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.13" id="mailLocalAddress"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/> <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/> <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/> <Attribute name="urn:oid:2.5.4.9" id="street"/> <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/> <Attribute name="urn:oid:2.5.4.17" id="postalCode"/> <Attribute name="urn:oid:2.5.4.8" id="st"/> <Attribute name="urn:oid:2.5.4.7" id="l"/> <Attribute name="urn:oid:2.5.4.10" id="o"/> <Attribute name="urn:oid:2.5.4.11" id="ou"/> <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/> <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.43" id="friendlyCountryName"/> <Attribute name="urn:oid:2.5.4.6" id="countryName"/> </Attributes>