...
Tip | ||
---|---|---|
| ||
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. That is, in fact, the whole point of using entity attributes to configure attribute release policy. |
Aconet Example: Configuring an IdP
Aconet provides guidance to both SPs and IdPs on its wiki pages for R&S implementation. The following is the example policy for IdPs from Aconet:
Code Block |
---|
<afp:AttributeFilterPolicy id="REFEDSResearchAndScholarship">
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- Minimal subset of the "R and S" attribute bundle. -->
<!-- If ePPN values could be reassigned you MUST also release eduPersonTargetedID -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<!-- Other attributes only if requested (could also be released unconditionally) -->
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
|
InCommon Example: Configure an IdP to Release a Fixed Subset of R&S Attributes
Configure Shibboleth IdP v2.3.4 (or later) to release a fixed subset of the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseFixedSubsetRandSAttributeBundle"> <!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead --> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- release of ePSA is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
InCommon Example: Configure an IdP to Release a Dynamic Subset of R&S Attributes
Configure Shibboleth IdP v2.4.3 (or later) to release a dynamic subset of the R&S Attribute Bundle by filtering the actual release of attributes based on <md:RequestedAttribute>
elements in SP metadata:
...