To support the Research and Scholarship Category, an IdP releases the R&S attribute bundle to all R&S SPs, including R&S SPs in other federations. See below for detailed configuration instructions.
Contents
Software Requirements
To release attributes to all current and future R&S SPs with a one-time configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the configuration steps documented here require Shibboleth IdP v2.3.4 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy. To release a dynamic subset of the R&S attribute bundle based on <md:RequestedAttribute>
elements in SP metadata, Shibboleth IdP v2.4.3 (or later) is required.
No other SAML IdP software is known to support entity attributes at this time.
Optimize your IdP configuration
ACOnet Example: Configuring an IdP
ACOnet provides an example attribute policy rule (and NameID overrides) for the R&S Category.
InCommon Example: Configure an IdP to Release a Fixed Subset of R&S Attributes
InCommon recommends the following approach to configure Shibboleth IdP v2.3.4 (or later) to release a fixed subset of the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
<afp:AttributeFilterPolicy id="releaseFixedSubsetRandSAttributeBundle"> <!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead --> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- release of ePSA is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Visit the Shibboleth wiki for more information about type saml:AttributeInMetadata
.