SAML Standard for Service Provider Attribute Mapping

Question

We run a Shibboleth Identity Provider, and have been increasingly asked to integrate with applications using non-Shibboleth SAML solutions, and encountering difficulty with regard to attribute naming. With a pure Shibboleth IdP & SP relationship, I know that the IdP can release user attributes to the Service Provider using arbitrary attribute names in the assertion. The Service Provider, having been configured to receive specific attributes using the IdP-provided names, re-maps the attributes from the IdP into attribute names useful to the Service Provider, using a configuration in the attribute-map.xml file.

My problem is with non-Shibboleth Service Provider operators, many of whom have refused to re-map attributes sent from the IdP, instead demanding new attributes be defined on the IdP (to carry values already available in existing attributes), using names dictated by the Service Provider owner. This causes the user's attribute object on the IdP to grow unnecessarily (at the time of authentication), because all defined attributes are populated with values first, and then they are filtered down to only those attributes approved for release to the requesting SP.

Is the attribute mapping feature, present in the Shibboleth Service Provider, part of the SAML/SAML 2.0 specification/standard, or is it a feature introduced by the Shibboleth developers? If it's part of the standard relationship/behavior in a SAML solution, can someone direct me to the authoritative standards document?

I've read through what I can find on OASIS regarding SAML standards, but I can't find anything regarding this behavior.

Answer 1

Attribute mapping is an application specific bit of functionality.

The SAML specification(s) details with things like message exchanges and XML schemas, not the functionality software should provide or how bi-lateral arrangements between IdPs and SPs should be organised. They have nothing to do with the SAML specification. Sorry.

Note that there are plenty of other SAML products that provide similar attribute mapping functionality, it's not just shibboleth that does so. I imagine the problem here is that the Service providers consider their requirements more important than yours and aren't prepared to make an exception. Either that or they don't know how.