Date: Thu, 28 Mar 2024 23:30:37 +0000 (UTC) Message-ID: <660866589.7195.1711668637560@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7194_942180222.1711668637558" ------=_Part_7194_942180222.1711668637558 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Deprecated
This page shows how to configure a Shibboleth IdP to release the Essential Attribute = Bundle.
Contents:
It is straightforward to configure a Shibboleth IdP to release the Essential Attribut= e Bundle to any SP:
<afp:= AttributeFilterPolicy id=3D"releaseEssentialAttributesToAnySP"> <afp:PolicyRequirementRule xsi:type=3D"basic:ANY"/> <afp:AttributeRule attributeID=3D"eduPersonPrincipalName"> <afp:PermitValueRule xsi:type=3D"basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"email"> <afp:PermitValueRule xsi:type=3D"basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"displayName"> <afp:PermitValueRule xsi:type=3D"basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"givenName"> <afp:PermitValueRule xsi:type=3D"basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"surname"> <afp:PermitValueRule xsi:type=3D"basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
An Important Consequence of Releasing = the Essential Attribute Bundle
If your deployment of eduPersonPrincipalName
is non-reassig=
ned, the above attribute release policy supports the Research & Scholarship C=
ategory as a side effect, without further configuration. If your deploy=
ment of eduPersonPrincipalName
is reassigned,=
simply add the eduPersonTargetedID
attribute to the above att=
ribute release policy to meet the minimal requirements of the Research &=
; Scholarship Category.
For Shib IdP v2.4.0 (and higher), an optimization is possible. The follo= wing configuration releases an attribute in the Essential Attribute Bundle if and on= ly if that attribute is called out in SP metadata:
<afp:= AttributeFilterPolicy id=3D"releaseEssentialAttributesToAnySPIfRequested"&g= t; <afp:PolicyRequirementRule xsi:type=3D"basic:ANY"/> <afp:AttributeRule attributeID=3D"eduPersonPrincipalName"> <afp:PermitValueRule xsi:type=3D"saml:AttributeInMetadata" onlyIfReq= uired=3D"false"/> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"email"> <afp:PermitValueRule xsi:type=3D"saml:AttributeInMetadata" onlyIfReq= uired=3D"false"/> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"displayName"> <afp:PermitValueRule xsi:type=3D"saml:AttributeInMetadata" onlyIfReq= uired=3D"false"/> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"givenName"> <afp:PermitValueRule xsi:type=3D"saml:AttributeInMetadata" onlyIfReq= uired=3D"false"/> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"surname"> <afp:PermitValueRule xsi:type=3D"saml:AttributeInMetadata" onlyIfReq= uired=3D"false"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
The following pair of policy rules release attributes to SPs re= gistered by InCommon only. These policies are based on the follow= ing extension element in InCommon metadata:
<md:E= xtensions xmlns:mdrpi=3D"urn:oasis:names:tc:SAML:metadata:rpi"> <mdrpi:RegistrationInfo registrationAuthority=3D"https://incommon.org"= /> </md:Extensions>
The value of the registrationAuthority
For Shibboleth IdP V3, release attributes to SPs registered by InCommon = as follows:
<afp:= PolicyRequirementRule xsi:type=3D"saml:RegistrationAuthority" registrars=3D"https://incommon.org"/>
registrars
XML attribute in the previous example=
takes a space-separated list of registrar IDs and can therefore be general=
ized to include other registrars, either in InCommon or in other federation=
s.