Supported SAML 2.0 Attributes

Configuring SAML response attributes for SSO with Arpio

When you add a SAML 2.0 Identity Provider to your Arpio account, you can configure your identity provider to send specific response attributes that will affect how Arpio handles user identity and authentication.  Sometimes these attributes are called assertions, because the identity provider is asserting that they are valid statements about the identity or authentication context of the user.

Arpio requires signed assertions

The assertions present in your identity provider's response must be signed by one of the valid signing keys in the identity provider metadata you configure in Arpio.  If the assertions are not signed, users will receive an authentication error when they try to authenticate using that identity provider.

If your identity provider software is not configured to sign response assertions, you'll need to enable signing to connect it to Arpio.  Refer to your identity provider software's documentation for details.

When can I make changes to response attributes?

You can make changes to your identity provider's SAML 2.0 response configuration at any time.  If you configure response attributes before you connect your identity provider to your Arpio account, you should see the effects when users first authenticate with your identity provider.  To test changes you've made after you've connected your identity provider to Arpio, have your user log out of their Arpio account, and then log back in using the SAML 2.0 identity provider.

How do I change which response attributes are sent?

Since SAML 2.0 identity providers are operated and managed outside of the Arpio service, the process for changing which attributes are included with responses depends on your identity provider software.  Refer to your identity provider vendor's documentation for instructions on setting custom attributes.

Which response attributes does Arpio support?

Your identity provider can send any response attributes to Arpio, but Arpio only makes use of the attributes in the following table.  Other attributes are ignored.


Attribute Name Attribute Value Example


A string that contains the user's first or given name or names.
Used to construct the full name that appears in the Arpio Users list.


A string that contains the user's last or family name or names.
Used to construct the full name that appears in the Arpio Users list.


A string that contains a non-negative integer number.


Controls how long the authenticated user's session lasts.  When present, it overrides any session expiration specified in the standard SessionNotOnOrAfter  attribute, which some identity provider may send.

See Controlling SAML 2.0 Session Duration for details.