This procedure will pass the mail and employeeNumber attributes from the identity provider to the service provider.
Export the identity provider's current extended metadata configuration to a file.
saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name
Edit the attributeMap attribute in the exported extended metadata configuration file to include the user attributes the identity provider will pass to the service provider.
attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example,
<Attribute name="attributeMap"> <Value>mail=mail</Value> <Value>employeeNumber=employeeNumber</Value> </Attribute>
Remove the identity provider's current extended metadata configuration.
saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c
Import the identity provider's modified extended metadata configuration file.
saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name
Restart the web container.
Repeat the above steps for the service provider's extended metadata configuration file.
To test, invoke single sign-on from the service provider.
The assertion contains an AttributeStatement with the mail and employeeNumber attributes which will be set in the single sign-on token.