Child pages
  • AttributeReleaseForCohortiumServices
Skip to end of metadata
Go to start of metadata

Attribute Release For Cohortium Services

To access either the MFA Cohortium Registry or the MFA Cohortium Wiki, your institution's Identity Provider (IdP) must release the eduPersonPrincipleName (ePPN) attribute to the Cohortium's CoCoA platform. Ask your IdP's administrative contact either to support the Research and Scholarship Category (most preferred) or to release ePPN directly to the Registry and Wiki.

The MFA Cohortium Registry and the MFA Cohortium Wiki are Research & Scholarship (R&S) Service Providers, as shown on the InCommon Service Categories page. If your Identity Provider already supports the Research and Scholarship Category, there is nothing further you need to do. Those Identity Providers known to release attributes to R&S Service Providers are also listed on the InCommon Service Categories page.

To support R&S, an Identity Provider has to perform a few simple tasks. Alternatively, to release ePPN directly to the Registry and Wiki, an Identity Provider should follow the instructions below.

The following is an example of the configuration that the staff managing your institutional Identity Provider would need to add to the "attribute-filter.xml" Shibboleth IdP configuration file in order to release the needed attribute (ePPN) to the Internet2 ScalePriv MFA Cohortium Collaboration (CoCoA) environment-related SPs. There are actually two examples, one that just releases ePPN, and a second one that releases ePPN plus some additional attributes that would be useful to get, if your institution is so willing. (As noted before, if your institution already releases attributes to any service that has been approved to be in the "entity category" of Research & Scholarship, nothing more is needed – none of this additional configuration is required.)

Minimally needed attribute release for accessing the new Cohortium collaboration services/environment:

    <!--
        Release the ePPN to the Internet2 ScalePriv MFA Cohortium Collaboration (CoCoA) environment-related SPs.
        All the entityIDs for these SPs will be of the form:
          https://SPECIFICSERVICE.cohortium.internet2.edu/shibboleth
        Where 'SPECIFICSERVICE' will be values such as: 'wiki', 'registry', etc.
    -->
    <afp:AttributeFilterPolicy id="I2MFACohortium">
       <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterRegex" regex="^https://[^.]+\.cohortium\.internet2\.edu/shibboleth$" />

        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>

OR the following (required plus optional useful attributes):

    <!--
        Release the ePPN, first and last name, and email attributes to the
        Internet2 ScalePriv MFA Cohortium Collaboration (CoCoA) environment-related SPs.
        All the entityIDs for these SPs will be of the form:
          https://SPECIFICSERVICE.cohortium.internet2.edu/shibboleth
        Where 'SPECIFICSERVICE' will be values such as: 'wiki', 'registry', etc.
    -->
    <afp:AttributeFilterPolicy id="I2MFACohortium">
       <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterRegex" regex="^https://[^.]+\.cohortium\.internet2\.edu/shibboleth$" />

        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="givenName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="surname">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="email">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>
  • No labels