...
Code Block |
---|
language | xml |
---|
title | A Shib IdP config that releases a fixed subset of the R&S bundle to ALL R&S SPs |
---|
|
<afp:AttributeFilterPolicy id="releaseFixedSubsetRandSAttributeBundle">
<!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead -->
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- release of ePSA is OPTIONAL -->
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
InCommon Example: Configure an IdP to Release a Dynamic Subset of R&S Attributes
InCommon recommends the following approach to configure Shibboleth IdP v2.4.3 (or later) to release a dynamic subset of the R&S Attribute Bundle by filtering the actual release of attributes based on <md:RequestedAttribute>
elements in SP metadata:
Code Block |
---|
language | xml |
---|
title | A Shib IdP config that releases a dynamic subset of the R&S bundle to ALL R&S SPs |
---|
|
<afp:AttributeFilterPolicy id="releaseDynamicSubsetRandSAttributeBundle">
<!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead -->
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- a dynamic subset of the Research & Scholarship Attribute Bundle -->
<!-- release ePPN iff ePPN is listed in metadata -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<!-- release ePTID iff either ePTID or ePPN are listed in metadata -->
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<!-- if ePPN is non-reassigned, the above rule may be simplified or even commented out since ePTID is optional -->
<!-- release mail iff mail is listed in metadata -->
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<!-- release displayName iff displayName or (givenName + sn) are listed in metadata -->
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
<basic:Rule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:2.5.4.42"/>
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:2.5.4.4"/>
<basic:Rule xsi:type="basic:AND">
</afp:PermitValueRule>
</afp:AttributeRule>
<!-- release givenName iff givenName or displayName are listed in metadata -->
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<!-- release surname iff surname or displayName are listed in metadata -->
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<!-- release ePSA iff ePSA is listed in metadata -->
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<!-- since ePSA is OPTIONAL, the above rule may be commented out -->
</afp:AttributeFilterPolicy> |
Visit the Shibboleth wiki for more information about type saml:AttributeInMetadata
.