See - [Custom Attributes](https://gluu.org/docs/customize/attributes/) - [Automating Custom Attribute Configuration](https://gluu.org/docs/how-to/automate-schema/) - [Schema Auto-generated docs](https://gluu.org/docs/gluu-defaults/schema/) Note: by default, the objectclass is `gluuPerson` which may contain role. Check the objectclass in the gluu schema file located in the folder `/opt/opendj/config/schema` Grep for role and you'll probably turn it up. Also, don't forget that there is LDAP schema, but there is also an LDAP entry for each attribute in your Gluu Server configuration under `ou=attributes,o=org-inum,o=gluu`

Hi, ss jong. Were Michael's links helpful? Do you need further assistance? >I get a warning about existing LDAP attribute role when I tried to add a "role" attribute. That's strange. I can't see "role" attribute in my freshly installed instance. Did you try to create it yourself, then something went wrong and now you are trying to create it again, and fail? > And how do I enter multi values on the role attribute? That's a good question.. I can't find any means to do this myself. Docs also don't help. I'll try to ask around, and will create an issue report if there is happen to be no way to do it through web UI.

Got it. There is indeed attribute "role" in LDAP schema, but it's not an attribute allowed to be "attached" to user entries, it's being used internally in Gluu's configuration entries. Can you proceed with a different name? Like, "role4SAML"?

ss jong, you shouldn't be bothered with how to name these attributes in web UI at all - these names don't go into SAML response, they are used internally in configuration files only. SAML defines its own naming for attributes, when you create/edit attributes you see these 2 fields, `SAML1 URI` and `SAML2 URI`. That's it - you need to put correct names your SP expects (you may check pre-packaged attributes there to get understanding what you need). So you need to study requirements of your SP carefully first.

hi Aliaksandr Samuseu, Thank you so much for your response, the SP in this case is our own product and we have full control over it, and we are using spring security/saml and I am working on the SAML authentication part (currently a trial/proof of concept)/ Our idea is to transform certain value from attribute "memberOf" into "role" and expose this "role" attribute via SAML. Yes, we can name this attribute with any name like "role4SAML". Can we modify custom script "cache refresh" to somehow parse "memberOf" attribute and transform into "role" attribute? Will "cache refresh" script running for all current existing user? We added some debugging code like "print user.getMail()" but it doesn't seems to be running (only show the test user in the log). Thanks and appreciate your help, cheers.

Then you should be safe with something like "urn:gluu:somebogusname" and "urn:oid:some.numbers" for SAML names of the attribute. > Can we modify custom script "cache refresh" to somehow parse "memberOf" attribute and transform into "role" attribute? That's one of the CR scripts' main functions. > Will "cache refresh" script running for all current existing user? We added some debugging code like "print user.getMail()" but it doesn't seems to be running (only show the test user in the log). Current CR's logic won't make it update any user entry (and thus create opportunity to run a script), unless at least one condition is met: 1. Some entry is changed in the backend; then entry in Gluu's internal directory that corresponds to that entry only will be updated according to mappings, and processed by script 2. A new attribute is added to the list of attributes to pull from the backend; in this case it will actually update all user entries 3. Contents of snapshot directory are purged within the container; again, this will trigger a full update of all user entries So you may employ 2) or 3) to update your users when you need it.

Hi, ss jong. Should we keep this ticket open?

hi Aliaksandr Samuseu, Thank you for your help and sorry for my late reply. We should be able to get the role attribute working once we fixed some minor issue. Thanks once again. cheers