Attribute Release For COmanage Services

To access either the COmanage Registry or the associated collaboration tools, a user's Identity Provider (IdP) must release the eduPersonPrincipleName (ePPN) attribute to the collaboration platform. Ask your IdP's administrative contact either to support the REFEDS Research & Scholarship entity category (most preferred) or to release ePPN directly to the Registry and associated applications.

To support the R&S entity category, an IdP has to perform a few simple tasks. Alternatively, to release ePPN directly to the Registry and Wiki, an IdP should follow the instructions below.

The following is an example of the configuration that the staff managing an institutional Identity Provider would need to add to the "attribute-filter.xml" Shibboleth IdP configuration file in order to release the needed attribute (ePPN). There are actually two examples, one that just releases ePPN, and a second one that releases ePPN plus some additional attributes that would be useful to improve the user experience within the platform, if your institution is so willing. (As noted before, if your institution already releases attributes to any service that has been approved to be in the "entity category" of Research & Scholarship, nothing more is needed – none of this additional configuration is required.)

Minimally needed attribute release for accessing a collaboration services/environment for the MFA Cohortium Collaboration:

*<!--    Release the ePPN to the Internet2 ScalePriv MFA Cohortium Collaboration (CoCoA) environment-related SPs.    All the entityIDsfor these SPs will be of the form:      https://SPECIFICSERVICE.cohortium.internet2.edu/shibboleth    Where'SPECIFICSERVICE' will be values such as:'wiki','registry', etc.--><afp:AttributeFilterPolicy id="I2MFACohortium">
   <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterRegex" regex="^https://[^.]+\.cohortium\.internet2\.edu/shibboleth$" />
     <afp:AttributeRule attributeID="eduPersonPrincipalName">
         <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
 </afp:AttributeFilterPolicy>

*OR the following (required plus optional useful attributes):

<!--    Release the ePPN, first and last name, and email attributes to the    Internet2 ScalePriv MFA Cohortium Collaboration (CoCoA) environment-related SPs.    All the entityIDsfor these SPs will be of the form:      https://SPECIFICSERVICE.cohortium.internet2.edu/shibboleth    Where'SPECIFICSERVICE' will be values such as:'wiki','registry', etc.-->
<afp:AttributeFilterPolicy id="I2MFACohortium">   
  <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterRegex" regex="^https://[^.]+\.cohortium\.internet2\.edu/shibboleth$" />

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
        <afp:PermitValueRule xsi:type="basic:ANY" />    </afp:AttributeRule>
    <afp:AttributeRule attributeID="givenName">
        <afp:PermitValueRule xsi:type="basic:ANY" />    </afp:AttributeRule>
    <afp:AttributeRule attributeID="surname">
        <afp:PermitValueRule xsi:type="basic:ANY" />    </afp:AttributeRule>
    <afp:AttributeRule attributeID="email">
        <afp:PermitValueRule xsi:type="basic:ANY" />    </afp:AttributeRule>
</afp:AttributeFilterPolicy>
  • No labels