Design User Metadata

This article presents general information on how your organization should design its user metadata based on your list of desired federation resources and the information about your users.

The GFIPM Metadata Specification includes a standard set of informational attributes that can be asserted for a user. Example attributes are a user's name, phone number, title, permissions, etc. These attributes are collected by an IDP, assembled into a SAML assertion, and securely transmitted to an SP on behalf of a user.

Your federation manager should provide you with advice on which metadata attributes are required or recommended for assertion by IDPs in your federation.

Taking into account the GFIPM definition of each metadata attribute you want to assert, determine whether and how you can truthfully assert it for your users based on your locally available user information. Assertions can be based either on explicit local attribute data (stored in a user repository) or on implicit assumptions about users based on local policies.

You may encounter a situation in which you want to assert an attribute but are unable to assert it based on locally available information. In this case, you have two choices-do not assert it or collect and store the data necessary to assert it.

Remember that the basis for asserting each user attribute must be documented in the Local Attribute Mapping Form.

At the end of this process, you should have a list of GFIPM metadata attributes that your IDP will assert, along with the precise GFIPM definition for each of those attributes.

Each metadata attribute that your IDP is able to assert must be asserted with a valid value in the SAML assertion. The values must be either extracted from one of your local data sources or validly derived for each user. In addition, how you assert these attributes (i.e., the data source or reasoning you used) must be documented in your Local Attribute Mapping Form.

As defined by your federation manager, required metadata attributes are mandatory based on their use to uniquely identify a user and to audit transactions. Your IDP must assert these metadata attributes.

Strongly recommended attributes are those attributes used by many Service Providers or resources in their access control policies. Assertion of these attributes typically leads to more data access opportunities for users. Your IDP should assert these metadata attributes if possible.

The other listed attributes are recommended, which means that useful resources tend to use them in their access control policies. Your IDP should assert these metadata attributes if possible.