django single-sign-on metadata saml-2.0 idp

How add claims to SAML IDP metadata

I built the SSO integration project, I will be as IDP identity provider and our third party will be as SP services provider.

I used this code https://github.com/OTA-Insight/djangosaml2idp to prepare my Idp. everything is ok and I already tested it by https://sptest.iamshowcase.com/. But I have a question how I can add claims to this generated metadata so that helps our SP use it?

here is the generated metadata file:

<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>

here is my attempt, is it correct?

first attempt: by adding AttributeConsumingService? but I am not sure about SPSSODescriptor tag?

<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
<ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/>
<ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/>
</ns0:AttributeConsumingService>
</ns0:SPSSODescriptor>
</ns0:EntityDescriptor>

second attempt: or add AttributeConsumingService to IDPSSODescriptor as below?

<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
<ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/>
<ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/>
</ns0:AttributeConsumingService>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>

Note: djangosaml2idp - SSO SAML for IDP built by Django python framework

appreciate your support

Solution

RequestedAttribute is for the Service Provider (SP) metadata. It's a way for the SP to make known which attributes it requires, subject to the IdP releasing those attributes. AttributeConsumingService is also part of the SP metadata.

The IdP does not advertise what it contains or is willing to release. That is an IdP/SP contract which only those entities know about.

There is an example of each here.