The UserAttributes SAML extension is used for adding SAML Attributes to a SAML Authentication requests, providing additional information about the user to be authenticated.


XML Schema of the UserAttributes extension

XML Schema
<xs:schema
        targetNamespace="urn:mace:surf.nl:stepup:gssp-extensions"
        xmlns="http://www.w3.org/2001/XMLSchema"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        elementFormDefault="unqualified"
        attributeFormDefault="unqualified">
    <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion" />
    <xs:element name="UserAttributes">
        <xs:complexType>
            <xs:sequence>
                <xs:element ref="saml:Attribute" />
            </xs:sequence>
        </xs:complexType>
    </xs:element>
</xs:schema>

Example

An example SAML AuthnRequest using the UserAttributes extension:

Example SAML AuthnRequest using the UserAttributes extension
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_09010524d6c616787a5b8364aa20a3bfcfa4a38062ee88c8893720717e83"
                    Version="2.0"
                    IssueInstant="2025-04-28T08:56:10Z"
                    Destination="https://gateway.stepup.example.org/second-factor-only/single-sign-on"
                    AssertionConsumerServiceURL="https://engine.openconext.example.org/authentication/stepup/consume-assertion"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
    <saml:Issuer>https://engine.openconext.example.org/authentication/stepup/metadata</saml:Issuer>
    <samlp:Extensions>
        <gssp:UserAttributes xmlns:gssp="urn:mace:surf.nl:stepup:gssp-extensions"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                             xmlns:xs="http://www.w3.org/2001/XMLSchema">
            <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                            Name="urn:mace:dir:attribute-def:mail">
                <saml:AttributeValue xsi:type="xs:string">j.doe@institution-a.example.org</saml:AttributeValue>
            </saml:Attribute>
        </gssp:UserAttributes>
    </samlp:Extensions>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:institution-a.example.org:u12345678</saml:NameID>
    </saml:Subject>
    <samlp:NameIDPolicy AllowCreate="true" />
    <samlp:RequestedAuthnContext Comparison="minimum">
        <saml:AuthnContextClassRef>http://stepup.example.org/assurance/sfo-level1.5</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
    <samlp:Scoping ProxyCount="10">
        <samlp:RequesterID>https://institution-a.example.org/idp/metadata</samlp:RequesterID>
    </samlp:Scoping>
</samlp:AuthnRequest>