...
| Tip | ||
|---|---|---|
| ||
| Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. That is, in fact, the whole point of using entity attributes to configure attribute release policy. |
Aconet Example: Configuring an IdP
Aconet provides guidance to both SPs and IdPs on its wiki pages for R&S implementation. The following is the example policy for IdPs from Aconet:
| Code Block |
|---|
<afp:AttributeFilterPolicy id="REFEDSResearchAndScholarship">
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- Minimal subset of the "R and S" attribute bundle. -->
<!-- If ePPN values could be reassigned you MUST also release eduPersonTargetedID -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<!-- Other attributes only if requested (could also be released unconditionally) -->
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
|
InCommon Example: Configure an IdP to Release a Fixed Subset of R&S Attributes
Configure Shibboleth IdP v2.3.4 (or later) to release a fixed subset of the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseFixedSubsetRandSAttributeBundle">
<!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead -->
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- release of ePSA is OPTIONAL -->
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
InCommon Example: Configure an IdP to Release a Dynamic Subset of R&S Attributes
Configure Shibboleth IdP v2.4.3 (or later) to release a dynamic subset of the R&S Attribute Bundle by filtering the actual release of attributes based on <md:RequestedAttribute> elements in SP metadata:
...