- Created by Albert Wu (internet2.edu), last modified on May 11, 2020
To release attributes to all current and future Research & Scholarship SPs with a one-time configuration, an Identity Provider defines the attribute release using entity attributes instead of entity IDs. This page provides instructions for popular Identity Provider software.
Step 1: Configure your IdP
Configure Shibboleth IdP to release R&S Attributes
The following example illustrates how to configure a Shibboleth IdP (v3 or newer) to release the R&S Attribute Bundle to all eduGAIN Research & Scohlarship SPs:
<!-- for Shibboleth IdP V3.2.0 or later --> <AttributeFilterPolicy id="releaseRandSAttributeBundle"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <!-- release of ePPN is REQUIRED --> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- release of email is REQUIRED --> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- release of ePSA is OPTIONAL --> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy>
Configure ADFS to release R&S attributes using ADFStoolkit
Microsoft Active Directory Federation Service (ADFS) does not have built-in support for REFEDS R&S attribute release. However, it is possible to do so with ADFSToolkit.
ADFSToolkit, a set of PowerShell scripts developed by CANARIE (the Canadian research and education federation) connects your ADFS IDP with the R&E Federation. ADFSToolkit by default works with R&S. To learn more:
- Get ADFSToolkit
- Canadian Access Federation ADFSToolkit Installation Guide
- Consuming federation metadata with ADFSToolkit (documentation from SWAMID, the Swedish federation)
Step 2: Cleaning up - remove obsolete attribute release rules
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.
Step 3: Declare your support for R&S
Don't forget to let others know you now support R&S. Declare your support for R&S via the Federation Manager.
Step 4: Validate your configuration
Once you have verified that your declaration has been published in the InCommon metadata, you can verify your configuration using one of the following test tools:
- eduGAIN Attribute Release Check
- Federated SSO test page, provided by the GENI Experimenter Portal, an official R&S SP.
Related content
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Get help
Can't find what you are looking for?