Date: Thu, 28 Mar 2024 22:46:36 +0000 (UTC) Message-ID: <72534712.7125.1711665996904@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7124_1450231823.1711665996899" ------=_Part_7124_1450231823.1711665996899 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
One disadvantage over the the legacy aggregates is that there is= not an easy, out of the box way, to tell if an entity came from the InComm= on metadata bundle, because all of the entities are not grouped within an e= ntities element in the XML. Instead, there is only one entity returned with= out the entities element. This can break things like attribute release poli= cies based around releasing a certain set of attributes to all service prov= iders in the InCommon federation. You could still look to see if an entity = was registered by InCommon, but this does not help if the entity came from = eduGAIN and is published by InCommon.
Luckily, Keith Wessel (illinois.edu) from the University of=
Illinois has come up with a clever solution to get around this problem.&nb=
sp;This method involves adding an entity attribute to every entity from thi=
s provider. It wasn=E2=80=99t recommended for the file-based aggregate sinc=
e all of that tagging each time the metadata was reloaded got quite expensi=
ve, but for per-entity metadata, it=E2=80=99s only for an individual entity=
each time it=E2=80=99s loaded.
In your metadata providers file y= ou will be adding a couple lines to add on an attribute to the metadata pro= vider like so:
<= !-- InCommon Per-Entity Metadata Distribution Service --> <MetadataProvider id=3D"incommon" xsi:type=3D"DynamicHTTPMetadataPro= vider" maxCacheDuration=3D"86400" minCacheDuration=3D"60"> =20 <MetadataFilter xsi:type=3D"SignatureValidation" require= SignedRoot=3D"true" certificateFile=3D"%{idp.home}/credentials/inc-mdq-prev= iew.pem" /> =20 <MetadataFilter xsi:type=3D"RequiredValidUntil" maxValid= ityInterval=3D"P14D" /> =20 =09=09=09=09<!-- lines around added an entity attribute to the entity --= > <MetadataFilter xsi:type=3D"EntityAttributes"> <saml:Attribute Name=3D"source_of_metadata"> <saml:AttributeValue>incommon-mdq<= /saml:AttributeValue> </saml:Attribute> <ConditionRef>shibboleth.Conditions.TRUE</Cond= itionRef> </MetadataFilter> =09=09=09=09<!-- End of section --> =09=09=09 <MetadataQueryProtocol>http://mdq-preview.incommon.or= g/</MetadataQueryProtocol> </MetadataProvider>
Then release attributes to everyone with that entity attribute. This exa= mple releases if either the new entity attribute is set or if the old metad= ata entity group is set for backwards compatibility with the legacy aggrega= tes.
<= !-- Release default attributes to all SPs in InCommon if requested --> <AttributeFilterPolicy id=3D"IncommonRelease"> <PolicyRequirementRule xsi:type=3D"OR"> <Rule xsi:type=3D"InEntityGroup" groupID=3D"urn:mace= :incommon" /> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeName=3D"source_of_metadata" attributeValue=3D"incommon-mdq"/> </PolicyRequirementRule> =20 <AttributeRule attributeID=3D"eduPersonScopedAffiliation"> <PermitValueRule xsi:type=3D"AttributeInMetadata" matchIfMetadataSilent=3D"true" onlyIfRequir= ed=3D"false" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonEntitlement"> <PermitValueRule xsi:type=3D"Value" value=3D"urn:mace:dir:entitlement:common-li= b-terms" ignoreCase=3D"true" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonPrincipalName"> <PermitValueRule xsi:type=3D"AttributeInMetadata" matchIfMetadataSilent=3D"true" onlyIfRequir= ed=3D"false" /> </AttributeRule> <AttributeRule attributeID=3D"eduPersonTargetedID"> <PermitValueRule xsi:type=3D"AttributeInMetadata" matchIfMetadataSilent=3D"true" onlyIfRequir= ed=3D"false" /> </AttributeRule> <AttributeRule attributeID=3D"givenName"> <PermitValueRule xsi:type=3D"AttributeInMetadata" matchIfMetadataSilent=3D"true" onlyIfRequir= ed=3D"false" /> </AttributeRule> <AttributeRule attributeID=3D"sn"> <PermitValueRule xsi:type=3D"AttributeInMetadata" matchIfMetadataSilent=3D"true" onlyIfRequir= ed=3D"false" /> </AttributeRule> <AttributeRule attributeID=3D"displayName"> <PermitValueRule xsi:type=3D"AttributeInMetadata" matchIfMetadataSilent=3D"true" onlyIfRequir= ed=3D"false" /> </AttributeRule> <AttributeRule attributeID=3D"mail"> <PermitValueRule xsi:type=3D"AttributeInMetadata" matchIfMetadataSilent=3D"true" onlyIfRequir= ed=3D"false" /> </AttributeRule> </AttributeFilterPolicy>
If you did not want to have every entity tagged, you could also tag spec= ific entities that should not get the attribute= s released to them like so:
... <MetadataFilter xsi:type=3D"EntityAttributes"> <saml:Attribute Name=3D"attribute-release"> <saml:AttributeValue>no-default-attri= butes</saml:AttributeValue> </saml:Attribute> <Entity>https://we.dont.need.no.stinkin.attribute= s/shibboleth> <Entity>https://another.sp.that.shouldnt.get.defa= ult.attributes/shibboleth> </MetadataFilter> ...
And then the filter config looks like this:
<= !-- Release default attributes to all SPs in InCommon if requested --> <AttributeFilterPolicy id=3D"IncommonRelease"> <PolicyRequirementRule xsi:type=3D"NOT"> <Rule xsi:type=3D"EntityAttributeExactMatch" attributeName=3D"attribute-release" attributeValue=3D"no-default-attributes"/&g= t; </PolicyRequirementRule> =20 ...