...
Code Block |
---|
language | xml |
---|
title | A Shib IdP config that releases the R&S bundle to ALL R&S SPs |
---|
|
<!-- for Shibboleth IdP V3.2.0 or later -->
<afp:AttributeFilterPolicy<AttributeFilterPolicy id="releaseRandSAttributeBundle">
<afp:PolicyRequirementRule<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
<!-- release of ePPN is REQUIRED -->
<afp:AttributeRule<AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule<PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
<!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
<afp:AttributeRule<AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule<PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
<!-- release of email is REQUIRED -->
<afp:AttributeRule<AttributeRule attributeID="email">
<afp:PermitValueRule<PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
<!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
<afp:AttributeRule<AttributeRule attributeID="displayName">
<afp:PermitValueRule<PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
<afp:AttributeRule<AttributeRule attributeID="givenName">
<afp:PermitValueRule<PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
<afp:AttributeRule<AttributeRule attributeID="surname">
<afp:PermitValueRule<PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
<!-- release of ePSA is OPTIONAL -->
<afp:AttributeRule<AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule<PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
Anchor |
---|
| local-attribute-release |
---|
| local-attribute-release |
---|
|
...
Code Block |
---|
language | xml |
---|
title | Example 1: Releasing attributes to R&S SPs registered by InCommon |
---|
|
<!-- for Shibboleth IdP V3.2.0 or later -->
<!-- policy relies on two entity attributes -->
<afp:PolicyRequirementRule<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule> |
Code Block |
---|
language | xml |
---|
title | Example 2: Releasing attributes to R&S SPs registered by InCommon |
---|
|
<!-- for Shibboleth IdP V3.2.0 or later -->
<!-- policy relies on an entity attribute and the RegistrationInfo element -->
<afp:PolicyRequirementRule<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<Rule xsi:type="RegistrationAuthority" registrars="https://incommon.org"/>
</afp:PolicyRequirementRule> |
Note that the registrars
XML attribute takes a space-separated list of registrar IDs and therefore the previous configuration is more flexible.