Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Attribute Aggregator module

Latest Stable Version Total Downloads Travis

The Attribute Aggregator module is implemented as an Authentication Processing Filter. It can be configured in the SP's config.php file.

It is recommended to run the Attribute Aggregator module at the SP and configure the filter to run after the federated id, usually eduPersonPrincipalName is resolved.


You can install the module with composer:

composer require niif/simplesamlphp-module-attributeaggregator

How to setup the attributeaggregator module

The only required option of the module is the entityId of the Attribute Authority to be queried. The AA must support urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding.


            59 => array(
               'class' => 'attributeaggregator:attributeaggregator',
               'entityId' => '',

               * The subject of the attribute query. Default: urn:oid: (eduPersonPrincipalName)
               //'attributeId' => 'urn:oid:',

                * If set to TRUE, the module will throw an exception if attributeId is not found.
               // 'required' => FALSE,

                * The format of attributeId. Default is 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
               //'nameIdFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

                * The name Format of the attribute names.
               //'attributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',

                * The requested attributes. If not present, we will get all
                * the attributes. The keys of the array is the attribute name in (''urn:oid'') format.
                * values:
                *   the array of acceptable values. If not defined, the filter will accept all values.
                * multiSource:
                *   merge:    merge the existing and the new values, this is the default behaviour,
                *   override: drop the existing values and set the values from AA,
                *   keep:     drop the new values from AA and keep the original values.
               // 'attributes' => array(
               //         "urn:oid:attribute-OID-1" => array (
               //               "values" => array ("value1", "value2"),
               //               "multiSource" => "override"
               //               ),
               //         "urn:oid:attribute-OID-2" => array (
               //               "multiSource" => "keep"
               //               ),
               //         "urn:oid:attribute-OID-3" => array (
               //               "values" => array ("value1", "value2"),
               //               ),
               //         "urn:oid:attribute-OID-4" => array ()
               //        ),


You have to define PAOS acs endpoint with correct Location (take a look on VIRTUAL_HOST env variable), if the AA is a simpleSAMLphp implementation with simplesamlphp-module-aa

authsources.php in the current sp array, ie. default-sp

        'AssertionConsumerService' => [
            'index' => 0,
            'isDefault' => true,
            'Location' => 'https://' . getenv('VIRTUAL_HOST') . '/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            'index' => 1,
            'Location' => 'https://' . getenv('VIRTUAL_HOST') . '/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS',


The following options can be used when configuring the '''attributeaggregation''' module

entityId : The entityId of the Attribute Authority. The metadata of the AA must be in the attributeauthority-remote metadata set, otherwise you will get an error message.

attributeId : This is the Subject in the issued AttributeQuery. The attribute must be previously resolved by an authproc module. The default attribute is urn:oid: (eduPersonPrincipalName).

attributeNameFormat : The format of the NameID in the issued AttributeQuery. The default value is urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

attributes : You can list the expected attributes from the Attrubute Authority in the attributes array. The array contains key-value pairs, where the keys are attribute names in full federated (''urn:oid'') format and the values are arrays with the expected values for that attribute. If the value is an empty array, all the values of the attributes are resolved, otherwise only the matching ones. If the attributes option is not defined, every attribute is resolved from the response from the AA.