Div | ||
---|---|---|
| ||
|
To support the Research and Scholarship Category, an IdP has at least two options:
...
IdP operator configures the IdP to release the R&S attribute
...
bundle
...
to all R&S SPs
...
,
Contents:
Table of Contents | ||
---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Software Requirements
To release attributes to all current and future R&S SPs with a one-time configuration
The Shibboleth IdP software supports the first option out-of-the-box. The second option requires a special plugin at the Shibboleth IdP.
In either case, an IdP leverages entity attributes (instead of entity IDs) to support R&S. Thus the . The configuration steps documented here require Shibboleth IdP v2.3.4 or laterIdP V3, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy. ( No other SAML IdP software is known to support entity attributes at this time.)
Infotip | ||
---|---|---|
| ||
Shibboleth IdP v2.3.4 was released on October 27, 2011. For IdPs prior to v2.3.4, InCommon provides an XSLT tool that filters InCommon metadata into an explicit |
Release a Fixed Subset of the R&S Bundle
To release a fixed subset of the R&S bundle (or the complete R&S bundle itself), configure a new <AttributeFilterPolicy>
element that refers to the R&S entity attribute. The following example releases a subset of the R&S bundle to all R&S SPs:
| |
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S. |
Tip | ||
---|---|---|
| ||
Once you've configured your IdP, you can test your configuration using this test page, a service provided by the GENI Experimenter Portal, an official R&S SP. |
Anchor | ||||
---|---|---|---|---|
|
Configure an IdP to Release R&S Attributes Globally
Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- for Shibboleth IdP V3.2.0 or later -->
<AttributeFilterPolicy id="releaseRandSAttributeBundle">
| ||||
Code Block | ||||
xml | xml | <AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatchEntityAttributeExactMatch" attributeName="http://idmacedir.incommon.org/attribute/entity/-category" attributeValue="http://id.incommonrefeds.org/category/research-and-scholarship"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <!-- release of ePPN is REQUIRED --> <AttributeRule attributeID="emaileduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <!-- if your deployment of <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>ePPN is non-reassigned, release of ePTID is OPTIONAL --> <AttributeRule attributeID="givenNameeduPersonTargetedID"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <!-- release of email is REQUIRED --> <AttributeRule attributeID="surNameemail"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy> |
To release some other subset of the R&S bundle, simply customize the above example to match your policy.
Release a Dynamic Subset of the R&S Bundle
To dynamically release a subset of the R&S bundle to each R&S SP on an SP-by-SP basis, configure a new <AttributeFilterPolicy>
element that refers to the R&S entity attribute but limits attribute release to the <md:RequestedAttribute>
elements in SP metadata. This leads to the following two-step configuration process:
- Install and configure a general-purpose plugin that limits attribute release to the
<md:RequestedAttribute>
elements in SP metadata. - Configure a new
<AttributeFilterPolicy>
element for R&S SPs.
These two configuration steps taken together constrain the release of attributes to precisely those attributes requested by R&S SPs (assuming those attributes constitute a subset of the R&S bundle).
Install and Configure the Plugin
The uApprove addon to the Shibboleth IdP includes a plugin that limits attribute release to the <md:RequestedAttribute>
elements in SP metadata.
Info | ||
---|---|---|
| ||
The uApprove addon is not required to release attributes to R&S SPs. The steps below do not install uApprove but rather a plugin included in the uApprove package. |
To install and configure the plugin, perform the following steps:
...
|
...
The plugin adds a new PermitValueRule
of type ua:AttributeInMetadata
.
Configure a New AttributeFilterPolicy
The following IdP configuration implicitly releases attributes to any R&S SP. An attribute is released if and only if it is listed in SP metadata.
Code Block | ||
---|---|---|
xml | xml | <AttributeFilterPolicy id="releaseToRandS" xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf"> <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://id.incommon.org/attribute/entity/category" attributeValue="http://id.incommon.org/category/research-and-scholarship"/> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <AttributeRule attributeID="eduPersonPrincipalNamedisplayName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="falseANY"/> </AttributeRule> <AttributeRule attributeID="emailgivenName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"ANY"/> </AttributeRule> <AttributeRule attributeID="displayNamesurname"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="falseANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule><!-- release of ePSA is OPTIONAL --> <AttributeRule attributeID="surNameeduPersonScopedAffiliation"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="falseANY"/> </AttributeRule> </AttributeFilterPolicy> |
...