Deprecated
Note that this page has been deprecated; the information they contain is no longer current. The page has been retained for historical purposes only.
This page shows how to configure a Shibboleth IdP to release the Essential Attribute Bundle.
Contents:
Release the Essential Attribute Bundle to Any SP
It is straightforward to configure a Shibboleth IdP to release the Essential Attribute Bundle to any SP:
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySP"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
An Important Consequence of Releasing the Essential Attribute Bundle
If your deployment of eduPersonPrincipalName
is non-reassigned, the above attribute release policy supports the Research & Scholarship Category as a side effect, without further configuration. If your deployment of eduPersonPrincipalName
is reassigned, simply add the eduPersonTargetedID
attribute to the above attribute release policy to meet the minimal requirements of the Research & Scholarship Category.
For Shib IdP v2.4.0 (and higher), an optimization is possible. The following configuration releases an attribute in the Essential Attribute Bundle if and only if that attribute is called out in SP metadata:
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySPIfRequested"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Release the Essential Attribute Bundle to SPs Registered by InCommon
The following pair of policy rules release attributes to SPs registered by InCommon only. These policies are based on the following extension element in InCommon metadata:
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"> <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/> </md:Extensions>
The value of the registrationAuthority
XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. For example, the InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".
For Shib IdP v3.0.0 and higher
For Shibboleth IdP V3, release attributes to SPs registered by InCommon as follows:
<afp:PolicyRequirementRule xsi:type="saml:RegistrationAuthority" registrars="https://incommon.org"/>
registrars
XML attribute in the previous example takes a space-separated list of registrar IDs and can therefore be generalized to include other registrars, either in InCommon or in other federations.