Versions Compared

Old Version 37

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user Dean Woodbeck (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Div
stylefloat:right;margin-left:1em;margin-bottom:1ex
Note

Declare your support for R&S now!

To support the Research and Scholarship Category, an IdP has at least two options:

...

operator configures the IdP to release the R&S attribute bundle

...

See the sections below for detailed instructions.

...

titleOther Deployment Options

...

to

...

Once you've configured your IdP to release attributes to all R&S SPs (both present and future) as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of R&S SPs. (That is, in fact, the whole point of using entity attributes for describing attribute release policy.)

Contents:

Table of Contents
minLevel2

Anchor
software-reqs
software-reqs

Software Requirements

To release attributes to all current and future R&S SPs with a single one-time configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the The configuration steps documented here require Shibboleth IdP v2.3.4 or laterIdP V3, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.Note: The attribute filter policies shown in the following sections are based on an exact match of an entity attribute. In the Shibboleth IdP, an attribute filter policy may be based on a regex match of an entity attribute as well.

Info
titleSupport for Shib IdPs prior to v2.3.4

For Shibboleth IdPs prior to v2.3.4 (which was released on October 27, 2011), InCommon provides an XSLT script that filters InCommon metadata into an explicit <AttributeFilterPolicy> element for R&S SPs. See the next section for specific instructions for old IdPs.

No other SAML IdP software is known to support entity attributes at this time.

Release a Fixed Subset of the R&S Bundle

An IdP may support R&S by releasing at least the minimal subset of the R&S attribute bundle to all R&S SPs. Both examples in this section illustrate such a configuration.

The configuration based on entity attributes in the next subsection is a one-time operation. In contrast, the configuration produced by the XSLT script in the following subsection must be performed every time a new R&S SP is added to InCommon metadata. Clearly the configuration based on entity attributes is preferred.

...

Tip
titleOptimize your IdP configuration
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.
Tip
titleTesting IdP Support for R&S

Once you've configured your IdP, you can test your configuration using this test page, a service provided by the GENI Experimenter Portal, an official R&S SP.

Anchor
global-attribute-release
global-attribute-release

Configure an IdP to Release R&S Attributes Globally

Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:

Code Block
languagexml
titleA Shib IdP config that releases the R&S bundle to ALL R&S SPs
<!-- for Shibboleth IdP V3.2.0 or later -->
 
<AttributeFilterPolicy id="releaseRandSAttributeBundle">
 

...

For Shib IdPs v2.3.4 and higher

To release a fixed subset of the R&S bundle (or the complete bundle itself), configure a new <AttributeFilterPolicy> element that refers to the R&S entity attribute. The following example releases a subset of the R&S bundle to all R&S SPs:

Code Block
xmlxml

<AttributeFilterPolicy id="releaseToRandS">

  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatchEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://idrefeds.incommon.org/category/research-and-scholarship"/>

  <!-- <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  a fixed subset of the Research & Scholarship Attribute Bundle -->
 
  <!-- release of ePPN is REQUIRED -->
  <AttributeRule attributeID="givenNameeduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>

</AttributeFilterPolicy>

To release some other subset of the R&S bundle, simply customize the above example to match your policy.

Note that the above <AttributeFilterPolicy> releases a minimal subset of the R&S attribute bundle to all users whereas an IdP that supports R&S is only required to release attributes to some subset of the IdP's user population. For example, an IdP may choose to release attributes to faculty and staff only, or perhaps to non-students. The Shibboleth wiki contains examples of such configurations, which could easily be merged into the above <AttributeFilterPolicy> element.

...

For Shib IdPs prior to v2.3.4

Old versions of the Shib IdP don't support entity attributes so we provide an XSLT script that extracts the entity IDs of the R&S SPs. Run the script (InCommonRandSPolicy.xsl) at the command line as follows:

HTML
<pre>
$ <b>curl --silent http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml \
    | xsltproc InCommonRandSPolicy.xsl - \
    | tidy -quiet -xml -indent -wrap 0</b>
</pre>

The output will include a listing of the entity IDs of all R&S SPs found in the metadata file:

Code Block
xmlxml

<AttributeFilterPolicy id="releaseToRandS">

  <PolicyRequirementRule xsi:type="basic:OR">
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://carmenwiki.osu.edu/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://filesender.internet2.edu/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://wikispaces.psu.edu/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.indianactsi.org" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cilogon.org/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cgca.phys.uwm.edu/shibboleth-sp" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://panther.gpolab.bbn.com/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://ligo.org/ligovirgo/cbcnote/shibboleth-sp" />
    <!-- etc. -->
  </PolicyRequirementRule>

  <AttributeRule attributeID="eduPersonPrincipalName
  <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
  <AttributeRule attributeID="eduPersonTargetedID">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/!-- release of email is REQUIRED -->
  </AttributeRule>
  <AttributeRule attributeID="givenNameemail">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>

</AttributeFilterPolicy>

Modify the script to release some other subset of the R&S attribute bundle according to policy.

Release a Dynamic Subset of the R&S Bundle

To dynamically release a subset of the R&S bundle to each R&S SP on an SP-by-SP basis, configure a new <AttributeFilterPolicy> element that refers to the R&S entity attribute but limits attribute release to the <md:RequestedAttribute> elements in SP metadata. This requires the following two-step configuration process:

  1. Install and configure a general-purpose plugin that limits attribute release to the <md:RequestedAttribute> elements in SP metadata.
  2. Configure a new <AttributeFilterPolicy> element for R&S SPs.

These two configuration steps taken together constrain the release of attributes to precisely those attributes requested by R&S SPs (assuming those attributes constitute a subset of the R&S bundle).

Install and Configure the Plugin

The uApprove addon to the Shibboleth IdP includes a plugin that limits attribute release to the <md:RequestedAttribute> elements in SP metadata.

Info
titleuApprove

The uApprove addon is not required to release attributes to R&S SPs. The steps below do not install uApprove but rather a plugin included in the uApprove package.

To install and configure the plugin, perform the following steps:

  1. Download and unpack the uApprove package
  2. Copy the IdP plugin to your IdP build directory:
    HTML
    <code>$ <b>cp $UAPPROVE_INSTALL$/idp-plugin-2.2.1/lib/* $IDP_INSTALL$/lib/</b></code>
  3. Rebuild the IdP
  4. Add the namespace declaration xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf" to the <AttributeFilterPolicy> element (or better yet, to the parent <AttributeFilterPolicyGroup> element).
  5. Append the following values to the whitespace delimited list of values for the xsi:schemaLocation attribute:
    http://www.switch.ch/aai/idp/uApprove/mf classpath:/schema/uApprove-mf.xsd

The plugin adds a new PermitValueRule of type ua:AttributeInMetadata.

Configure a New AttributeFilterPolicy

The following IdP configuration implicitly releases attributes to any R&S SP. An attribute is released if and only if it is listed in SP metadata.

Code Block
xmlxml

<AttributeFilterPolicy id="releaseToRandS" xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf">

  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/research-and-scholarship"/>


  <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
  <AttributeRule attributeID="eduPersonPrincipalNamedisplayName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="emailgivenName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="falseANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayNamesurname">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"ANY"/>
  </AttributeRule>

  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/<!-- release of ePSA is OPTIONAL -->
  </AttributeRule>
  <AttributeRule attributeID="surnameeduPersonScopedAffiliation">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"ANY"/>
  </AttributeRule>

</AttributeFilterPolicy>

The attributes shown above constitute a maximal subset of the R&S bundle. Simply customize the above example to match your policy.

...