Versions Compared

Old Version 5

changes.mady.by.user Steven Carmody (brown.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Dean Woodbeck (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Div
stylefloat:right;margin-left:1em;margin-bottom:1ex
Note

Declare your support for R&S now!

To support the Research and Scholarship Category, an IdP operator configures the IdP to release the R&S attribute bundle to all R&S SPs,

Contents:

Table of Contents
minLevel2

Anchor
software-reqs
software-reqs

Software Requirements

To release attributes to all current and future R&S SPs with a one-time configuration, an IdP leverages entity attributes (instead of entity IDs). The configuration steps documented here require Shibboleth IdP V3, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy. No other SAML IdP software is known to support entity attributes at this time.

Tip
titleOptimize your IdP configuration
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.
Tip
titleTesting IdP Support for R&S

Once you've configured your IdP, you can test your configuration using this test page, a service provided by the GENI Experimenter Portal, an official R&S SP.

Anchor
global-attribute-release
global-attribute-release

Configure an IdP to Release R&S Attributes Globally

Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:

Code Block
languagexml
titleA Shib IdP config that releases the R&S bundle to ALL R&S SPs
<!-- for Shibboleth IdP V3.2.0 or later -->
 
<AttributeFilterPolicy id="releaseRandSAttributeBundle">
 

DRAFT - Guidance for IdPs - DRAFT

Preparing IdP Metadata

To reduce user confusion and frustration, R&S SPs will provide a detailed error page with specific instructions in the event the user is returned to the SP without sufficient attributes. In particular, the SP will direct the user to the administrative contact at the IdP. Thus administrative contact information in IdP metadata is essential information in our effort to reduce manual boarding processes at the SP.

The IdP can short-circuit such an error page simply by including an errorURL in metadata. This gives the IdP the ability to own this problem by documenting (on the error page) and supporting whatever error handling process it desires.

Configuring a Shibboleth IdP to Release Attributes to an R&S SP

An IdP releases attributes to any R&S SP (identified by an entity attribute), not specific SPs (identified by entityID). In effect, an attribute release policy is configured once and for all R&S SPs.

An IDP can choose between possible configurations, depending on its policy needs:

  1. Always release the same set of attributes to every R&S SP.
  2. For each SP, only release those attributes that the SP requests via its metadata element.
Always Release the Same Set of Attributes

There is only step:

...


  <PolicyRequirementRule xsi:type="

...

EntityAttributeExactMatch"
      attributeName="http://

...

macedir.org

...

/entity

...

-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

...

 <!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
 
  <!-- release of ePPN is REQUIRED -->
  <AttributeRule attributeID="

...

eduPersonPrincipalName">
    <PermitValueRule xsi:type="

...

ANY"/>
  </AttributeRule>

  <!-- if

...

your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
  <AttributeRule attributeID="

...

eduPersonTargetedID">
    <PermitValueRule xsi:type="

...

ANY"/>
  </AttributeRule>

...

<!-- release of email is REQUIRED -->
  <AttributeRule attributeID="

...

email">
    <PermitValueRule xsi:type="

...

ANY"/>
  </AttributeRule>

...

...

Only Release Those Attributes that the SP Requests

There are two steps to configure a new attribute release policy for R&S SPs:

  1. Install and configure a general-purpose plugin that limits attribute release to the <md:RequestedAttribute> elements in SP metadata.
  2. Configure a new <AttributeFilterPolicy> element for R&S SPs.

These two configuration steps taken together constrain the release of attributes to precisely those requested by R&S SPs (which are necessarily a subset of the R&S attribute bundle).

Install and Configure the Plugin

The uApprove addon to the Shibboleth IdP includes a plugin that limits attribute release to the <md:RequestedAttribute> elements in SP metadata.

Info
titleuApprove

uApprove is not required to release attributes to R&S SPs. The steps below do not install the uApprove addon.

To install and configure the plugin, perform the following steps:

...

...

The plugin adds a new PermitValueRule of type ua:AttributeInMetadata.

Configure a New AttributeFilterPolicy

The following configuration requires Shibboleth IdP v2.3.4 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.

Info
titleShib IdP v2.3.4

Shibboleth IdP v2.3.4 was released on October 27, 2011. For IdPs prior to v2.3.4, InCommon will provide a tool that filters InCommon metadata into an explicit <AttributeFilterPolicy> element for R&S SPs.

The following IdP configuration implicitly releases attributes to any R&S SP. An attribute is released if and only if it is listed in SP metadata.

Code Block
xmlxml

<AttributeFilterPolicy id="releaseToRandS">
  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://id.incommon.org/attribute/entity/category"
      attributeValue="research-and-scholarship"/ <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
  <AttributeRule attributeID="eduPersonPrincipalNamedisplayName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="falseANY"/>
  </AttributeRule>
  <AttributeRule attributeID="emailgivenName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="falseANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayNamesurname">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="surName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/!-- release of ePSA is OPTIONAL -->
  </AttributeRule>
  <AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"ANY"/>
  </AttributeRule>

</AttributeFilterPolicy>

No other IdP implementation is known to support entity attributes in SP metadata.

Further Policy Controls

...