Div | ||
---|---|---|
| ||
|
To support the Research and Scholarship Category, an IdP operator has at least two configuration options:
...
...
configures the IdP to release the R&S attribute bundle to all R&S
...
Visit the parent page for basic info about the R&S Attribute Bundle. See the sections below for detailed configuration instructions.
...
title | Other IdP Configuration Options |
---|
...
SPs,
...
Contents:
Table of Contents | ||
---|---|---|
|
...
Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- for Shibboleth IdP V3.2.0 or later --> <afp:AttributeFilterPolicy<AttributeFilterPolicy id="releaseRandSAttributeBundle"> <afp:PolicyRequirementRule<PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <!-- release of ePPN is REQUIRED --> <afp:AttributeRule<AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule<PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <afp:AttributeRule<AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule<PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <!-- release of email is REQUIRED --> <afp:AttributeRule<AttributeRule attributeID="email"> <afp:PermitValueRule<PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <afp:AttributeRule<AttributeRule attributeID="displayName"> <afp:PermitValueRule<PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <afp:AttributeRule<AttributeRule attributeID="givenName"> <afp:PermitValueRule<PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <afp:AttributeRule<AttributeRule attributeID="surname"> <afp:PermitValueRule<PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <!-- release of ePSA is OPTIONAL --> <afp:AttributeRule<AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule<PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
...
Configure an IdP to Release R&S Attributes Locally
An IdP that supports R&S locally is configured with a policy rule that releases the R&S Attribute Bundle to R&S SPs registered by InCommon only. To do this, an instance of Shibboleth IdP V3 leverages the Registered By InCommon Category and/or MD-RPI Elements as shown in the following pair of examples:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- for Shibboleth IdP V3.2.0 or later -->
<!-- policy relies on two entity attributes -->
<afp:PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule> |
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- for Shibboleth IdP V3.2.0 or later -->
<!-- policy relies on an entity attribute and the RegistrationInfo element -->
<afp:PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<Rule xsi:type="RegistrationAuthority" registrars="https://incommon.org"/>
</afp:PolicyRequirementRule> |
...