Whether or not a SAML Identity Provider Metadata XML file is provided by the client administrator, SAML Attribute information is needed. If the Identity Provider already provides InCommon eduPerson Protocol-Level Attribute Names then the well-known attribute names for first name, last name, user name and email information are automatically used. Otherwise Swank will need SAML Protocol-Level Attribute Names that contain information for:
- First name
- Last name
- User name
- Email address
Attributes for user roles
Any user that cannot have their role determined is not allowed to log into Streaming Server. Roles can be determined by an exact match of text to a SAML Protocol-Level Attribute Name and a partial match to an attribute value. Here's an example using eduPersonScopedAffiliation or eduPersonEntitlement, but you can match to any SAML Protocol-Level Attribute Name in the same way for your Streaming Server portal.
UUser Role | Partial matching text | FriendlyName | Protocol-Level Attribute Name | Attribute Value |
Basic User Role | employee@ | eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | staff@school.edu; |
Instructor User Role | Microscope | eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | urn:mace:school.edu:confocalMicroscope |
No User Role (no access) | Notfound | eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | staff@school.edu; |
Table 1: Attributes for user roles
Basic and User Roles
When a user is being authenticated as a Basic or User role, it is not necessary to send the SAML attributes identifying their first name, last name, user name, or email address.
Instructor and Admin Roles
When a user is being authenticated as the Instructor or Admin role, it is required that the Identity Provider sends a SAML attribute for email address (urn:oid:0.9.2342.19200300.100.1.3) and a SAML attribute for at least one of first name (urn:oid:2.5.4.42), last name (urn:oid:2.5.4.4), or user name (urn:oid:2.16.840.1.113730.3.1.241).
Attribute Description | Friendly Name | Protocol-Level Attribute Name | Attribute Value |
First name | givenName | urn:oid:2.5.4.42 | Rick |
Last name | Sn | urn:oid:2.5.4.4 | Sanchez |
User name (displayed in upper right corner) | displayName (uses sn + givenName if missing displayName) | urn:oid:2.16.840.1.113730.3.1.241 | Rick Sanchez |
urn:oid:0.9.2342.19200300.100.1.3 | rsanchez@school.edu |
Table 2: Attribute examples
Non-Standard SAML Attributes
If the Identity Provider uses Protocol-Level Attribute Names other than those listed above (givenName = urn:oid:2.5.4.42, etc.), the Streaming Server can work with it. Just provide your account manager with a list of the Protocol-Level Attribute Names that your Identity Provider uses to describe first name, last name, user name, and email.