A SAML response from an Identity Provider may contain a AttributeStatement with a list of attributes. This enables reading attributes from the SAML response. Specify the Name of the SAML attribute to read. The Name depends on what attribute-profile the Identitiy Provider is using. Below are some examples for different types of attributes-profiles.
Nexus-Assertion
Holds the verified SAML Assertion sent in a SAML response from a specific Identity Provider. This attribute can be read when the system is configured to "Store SAML Assertion in session" for the specific Identity Provider. This value can be sent as a header or a cookie to a back-end web-resource.
Note: Some web servers will limit the size of the HTTP request header, it may be required to change the configure of these back-end web servers to accept the Assertion if it is very large.
Nexus-AuthnContextClassRef
Holds the AuthnContext (e.g. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport) sent in a SAML response from a specific Identity Provider. This attribute is always stored in the SAML Session when the system acts as a Service Provider. The attribute can be sent as a header or a cookie to a back-end web-resource.
Nexus-IDP-EntityID
Holds the EntityID of the remote Identity Provider that sent a valid SAML Assertion. This attribute is always stored in the SAML Session when the system acts as a Service Provider. The attribute can be sent as a header or a cookie to a back-end web-resource.
For certificate attributes in SAML response see: Reading User Certificate attributes from SAML session.
Attribute-profile unspecified
<saml:AttributeStatement>
<saml:Attribute Name="mail">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jennyg@mycompany.my</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
In this example, set Name to "mail"
Attribute-profile basic
<saml:AttributeStatement>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jennyg@mycompany.my</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
In this example, set Name to "mail"
Attribute-profile X500
<saml:AttributeStatement>
<saml:Attribute x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Encoding="LDAP">
<saml:AttributeValue xs="http://www.w3.org/2001/XMLSchema" xsi="http://www.w3.org/2001/XMLSchema-instance" type="xs:string">jennyg@mycompany.my</saml:AttributeValue>
</saml:AttributeStatement>
In this example, set Name to "urn:oid:0.9.2342.19200300.100.1.3"