Child pages
  • Convert a CILogon Config to R and S
Skip to end of metadata
Go to start of metadata

If you are one of the many IdPs that already supports CILogon, it is very easy to convert your CILogon configuration to a more general R&S configuration since the attribute requirements for CILogon are precisely those attributes required for support of R&S.

Software Requirements

The software requirements for the upgrade described here include Shibboleth IdP v2.3.4 or later. First read how to configure your Shibboleth IdP to support R&S before continuing.

Your current CILogon configuration probably looks something like this:

<afp:AttributeFilterPolicy id="releaseToCILogon">

  <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
      value="https://cilogon.org/shibboleth"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Simply replace the CILogon entityID with the R&S entity attribute:

<afp:AttributeFilterPolicy id="releaseToRandS">

  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- this assumes your deployment of ePPN is non-reassigned, otherwise you MUST release ePTID as well -->
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

That's it, you're done. Congratulations, you've just given your users access to all R&S SPs.

To have your IdP added to the list of IdPs that support R&S, fill out this short form (just 6 questions) that declares your willingness and ability to support R&S. Once this is done, your IdP will be added to the list, normally within one business day.

  • No labels