SAML2AttributeQueryProfile

Definition

Based on SAML version 1 standard. This profile is used when the SSOProfile does not include attributes statements in the assertion. This profile allows to the applications request user data.

When you are configuring the profile, you could define what data will be encrypted and signed.

Screen overview

Standard attributes

Class: class name (readOnly field).
Enabled: if it is checked (selected option is Yes) that protocol will be enable.
Sign Responses: usually it is set to conditional or always, so as the service provider can verify the response authenticity.
Sign Assertions: is usually set to never, as long as the response is already signed.
Sign Request: not used, as the service provider will not need to generate requests.
Outbound Artifact Type: usually kept in blank, unless you are using old SAML 1 service.
Assertion Lifetime: specifies the validity period for the generated assertions. The time period is specified using the ISO 8601 notation. The standard format follows the pattern: PnYnMnDTnHnMnS. This means that PT5M sets a duration of five minutes. For instance, PT1H30M sets a duration of one hour and a half.
Encrypt Assertions: is a desired feature, but some service providers, mainly public cloud service providers do not support it. Thus, the default value is to never encrypt, but you can set it to optional or always as needed.
- If you set it to optional and the public key of the service provider who is going to receive the assertion is available, it will be used to encrypt it.
- If you set it to never, it will not ever be encrypted in any case.
- If you set it to always, but the remote service provider encryption key is unknown, an exception will be raised.
Encrypt NameIds: should be let to never.
Assertion Proxy Count: sets the maximum number of hops that can be accepted for any assertion. A number of 0 does not set any limit.

SAML (Security Assertion Markup Language)

SAML architecture

SAML Example

OpenID-Connect

OpenID-Connect architecture

OpenID-Connect example

CAS (Central Authentication Service)

CAS architecture

CAS Example

Radius (Remote Authentication Dial-In User Service)

Radius architecture

Radius Example

TACACS+ (The Terminal Access Controller Access-Control System Plus)

TACACS+ architecture

TACACS+ Example

WS-Fed

WS-Fed Architecture

WS-Fed Example

⏰ Getting started

Attribute definition

Attribute sharing policies

Identity & Service providers

Shared signals & events members

Entity Group

Identity Provider

Service Provider

Virtual Identity Provider

Profiles

OpenIDProfile

SAML1ArtifactResolutionProfile

SAML1AttributeQueryProfile

SAML2ArtifactResolutionProfile

SAML2AttributeQueryProfile

SAML2ECPProfile

SAML2SSOProfile

CAS

Radius

How to deploy the identity & service provider

Change Password URL

How to perform unsolicited login

Connecting an OpenID Connect service

Connecting a SAML service

Connecting Soffid console

Connecting your custom applications

Openid-connect to SAML interoperability

Openid-connect Dynamic Register

Connecting CAS client

Connecting Tacacs+

Connecting Radius client

validate-domain

validate-credentials

expire-session

generate-saml-request

parse-saml-response

generate-saml-logout-request

Soffid IdP as an identity broker

External oAuth / OpenID Identity Providers

SAML2AttributeQueryProfile

Definition

Screen overview

Standard attributes