We have a SAML 2.0 federated environment (IDP and SP). I would like to generate a custom attribute for assertions created only for one SP. As such, I will not modify the IDP configuration.

The snippet of the SAML Assertion we need to create:

< saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
Name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups">

< saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
xsi:type="xsd:string">ABCD

According to SAML2 specifications, we need to modify the SP extended metadata to provide this attribute. The constant string "ABCD" is the attribute we want to send. I've modified as such, but no results. Can anyone provide insight?

< Attribute name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups">

 < Value>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|ABCD</Value>

< /Attribute>

Also tried:

< Attribute name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

 < Value>"ABCD"</Value>

< /Attribute>

Looking at the metadata spec it seems like you use the following syntax to define what attributes you want from the IDP. Of course the IDP must be configured to allow the export of such attribute to..

<AttributeConsumingService>
   <ServiceName xml:lang="en">youname</ServiceName>
   <RequestedAttribute 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:theformat"
      Name="theAttributeName"
      FriendlyName="humanReadableName"/>
</AttributeConsumingService>

The spec of this is here at page 21 https://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf