4.2 How to inform user of missing required attributes when accessing a service

Identity Providers don't send attributes to Service Providers without any good reason. Sweden is a member of the European Union and within the union there are strict rules on storing, transfer and process personal data. All attributes in the attribute release is to consider as personal data and therefore Identity Providers are careful.

The best way for a Service Provider to get the needed attributes is to request to the registering federation, i.e. SWAMID, to add entity categories to their metadata. For more information about entity categories please see 4.1 Entity Categories for Service Providers.

If some Identity Providers still doesn't release enough required attributes to the Service Provider you should inform the users what required attributes are missing in the release from their Identity Providers. This gives the user meaningful reason why the user can't access your service. It also gives you a possible sponsor to get the required attribute release from the Identity Provider. The information you give on the required attributes page is vital for the user in their communication with their service desk. The page should at least contain what attributes are missing, a link to the Service Provider informational page and a link to the Service Provider privacy policy.

The best way to create a page for required attributes missing is to do this within the webservice but sometimes this is not possibly and then you should use the capabilities of your SAML Service Provider software. For example in Shibboleth Service Provider you can use Shibboleth SP attribute checker.

  • No labels