Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
To release attributes to all current and future Research & Scholarship SPs with a one-time configuration, an Identity Provider defines the attribute release using entity attributes instead of entity IDs. This page provides instructions for popular Identity Provider software.
| Table of Contents | ||||
|---|---|---|---|---|
|
Step 1: Configure your IdP
Configure Shibboleth IdP to release R&S Attributes
The following example illustrates how to configure a Shibboleth IdP (v3 or newer) to release the R&S Attribute Bundle to all eduGAIN Research & Scohlarship SPs:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- for Shibboleth IdP V3.2.0 or later -->
<AttributeFilterPolicy id="releaseRandSAttributeBundle">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
<!-- release of ePPN is REQUIRED -->
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<!-- release of email is REQUIRED -->
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<!-- release of ePSA is OPTIONAL -->
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy> |
Configure ADFS to release R&S attributes using ADFStoolkit
Microsoft Active Directory Federation Service (ADFS) does not have built-in support for REFEDS R&S attribute release. However, it is possible to do so with ADFSToolkit.
ADFSToolkit, a set of PowerShell scripts developed by CANARIE (the Canadian research and education federation) connects your ADFS IDP with the R&E Federation. ADFSToolkit by default works with R&S. To learn more:
- Get ADFSToolkit
- Canadian Access Federation ADFSToolkit Installation Guide
- Consuming federation metadata with ADFSToolkit (documentation from SWAMID, the Swedish federation)
Step 2: Cleaning up - remove obsolete attribute release rules
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.
Step 3: Declare your support for R&S
Don't forget to let others know you now support R&S. Declare your support for R&S via the Federation Manager.
Step 4: Validate your configuration
Once you have verified that your declaration has been published in the InCommon metadata, you can verify your configuration using one of the following test tools:
- eduGAIN Attribute Release Check
- Federated SSO test page, provided by the GENI Experimenter Portal, an official R&S SP.
Related content
| Content by Label | ||||||||
|---|---|---|---|---|---|---|---|---|
|
Get help
Can't find what you are looking for?
| Button Hyperlink | ||||||||
|---|---|---|---|---|---|---|---|---|
|