Sun Java System SAML v2 Plug-in for Federation Services User's Guide

ProcedureTo Set Up Attribute Mappers

This procedure will pass the mail and employeeNumber attributes from the identity provider to the service provider.

  1. Export the identity provider's current extended metadata configuration to a file.

    saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

  2. Edit the attributeMap attribute in the exported extended metadata configuration file to include the user attributes the identity provider will pass to the service provider.

    attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example,

    <Attribute name="attributeMap">
  3. Remove the identity provider's current extended metadata configuration.

    saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

  4. Import the identity provider's modified extended metadata configuration file.

    saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

  5. Restart the web container.

  6. Repeat the above steps for the service provider's extended metadata configuration file.

  7. To test, invoke single sign-on from the service provider.

    The assertion contains an AttributeStatement with the mail and employeeNumber attributes which will be set in the single sign-on token.