Versions Compared

Old Version 70

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user Dean Woodbeck (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Div
stylefloat:right;margin-left:1em;margin-bottom:1ex
Note

Declare your support for R&S now!

To support the Research and Scholarship Category, an IdP has multiple options:

  1. Release the essential attribute bundle to all SPs (this policy is easiest to implement)
  2. Release the R&S attribute bundle to all R&S SPs, including R&S SPs in other federations
  3. Release the R&S attribute bundle to R&S SPs registered by InCommon only

Visit the parent page for basic info about the R&S Attribute Bundle. See the sections below for detailed configuration instructions.

Tip
titleOther Deployment Options

If your IdP already releases attributes to CILogon (which is an R&S SP), you should convert your CILogon configuration to R&S. More generally, an IdP may choose to release the Essential Attribute Bundle to all SPs.

Once you've configured your IdP to release attributes to all R&S SPs (both present and future) as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.)

...

titleSupporting REFEDS R&S

All configuration examples below recognize the REFEDS R&S entity attribute value:

http://refeds.org/category/research-and-scholarship

...

operator configures the IdP to release the R&S attribute bundle to all R&S SPs,

...

Contents:

Table of Contents
minLevel2

Anchor
software-reqs
software-reqs

Software Requirements

To release attributes to all current and future R&S SPs with a single one-time configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the The configuration steps documented here require Shibboleth IdP v2.3.4 or laterIdP V3, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.Note: The attribute filter policies shown in the following sections are based on an exact match of an entity attribute. In the Shibboleth IdP, an attribute filter policy may be based on a regex match of an entity attribute as well.

...

titleSupport for Shib IdPs prior to v2.3.4

...

.

...

No other SAML IdP software is known to support entity attributes at this time. Anchorrelease-to-all-RandSrelease-to-all-RandS

Release the R&S Bundle to All R&S SPs

Release a Fixed Subset of the R&S Bundle

The examples in this section configure a Shib IdP to release a fixed subset of the R&S attribute bundle to R&S SPs.

The configurations based on entity attributes in the next subsection are one-time configurations. In contrast, the configuration produced by the XSLT script in the following subsection must be performed every time a new R&S SP is added to InCommon metadata. Clearly the configuration based on entity attributes is preferred.

...

Tip
titleOptimize your IdP configuration
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.
Tip
titleTesting IdP Support for R&S

Once you've configured your IdP, you can test your configuration using this test page, a service provided by the GENI Experimenter Portal, an official R&S SP.

Anchor
global-attribute-release
global-attribute-release

Configure an IdP to Release R&S Attributes Globally

Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:

Code Block
languagexml
titleA Shib IdP config that releases the R&S bundle to ALL R&S SPs
<!-- for Shibboleth IdP V3.2.0 or later -->
 
<AttributeFilterPolicy id="releaseRandSAttributeBundle">
 
  <PolicyRequirementRule xsi:type="EntityAttributeExactMatch

...

For Shib IdPs v2.3.4 and higher

To release a fixed subset of the R&S bundle, configure a new <afp:AttributeFilterPolicy> element that recognizes the R&S entity attribute.

Release a Fixed Subset of the R&S Bundle to All R&S SPs

The following example releases a fixed subset of the R&S attribute bundle to all R&S SPs:

...

<afp:AttributeFilterPolicy id="releaseRandSBundleToAllSPs">

  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
  <afp:AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <!-- release of ePSA is OPTIONAL -->
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

Note that the above <afp:AttributeFilterPolicy> releases the Research & Scholarship Attribute Bundle to all users whereas an IdP that supports R&S is only required to release attributes for some subset of the IdP's user population. For example, an IdP may choose to release attributes for faculty and staff only, or perhaps for non-students. The Shibboleth wiki contains examples of such configurations, which could easily be incorporated into the above policy.

...

For Shib IdPs prior to v2.3.4

Old versions of the Shib IdP don't support entity attributes so we provide an XSLT script that extracts the entity IDs of the R&S SPs. Run the script (InCommonRandSPolicy.xsl) at the command line as follows:

Wiki Markup
{html}<pre>
$ <b>curl --silent http://md.incommon.org/InCommon/InCommon-metadata.xml \
    | xsltproc InCommonRandSPolicy.xsl - \
    | tidy -quiet -xml -indent -wrap 0</b>
</pre>{html}

The output will include a listing of the entity IDs of all R&S SPs found in the metadata file:

...

<afp:AttributeFilterPolicy id="releaseFullBundleToRandS">

  <afp:PolicyRequirementRule xsi:type="basic:OR">
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://carmenwiki.osu.edu/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://filesender.internet2.edu/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://wikispaces.psu.edu/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.indianactsi.org" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cilogon.org/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cgca.phys.uwm.edu/shibboleth-sp" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://panther.gpolab.bbn.com/shibboleth" />
    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://ligo.org/ligovirgo/cbcnote/shibboleth-sp" />
    <!-- etc. -->
  </afp:PolicyRequirementRule>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

You can of course modify either of the above <afp:AttributeFilterPolicy> elements to release a dynamic subset of the R&S attribute bundle as shown in the following section.

...

Release a Dynamic Subset of the R&S Bundle

To dynamically release a subset of the R&S bundle to each R&S SP on an SP-by-SP basis, configure a new <afp:AttributeFilterPolicy> element that refers to the R&S entity attribute but limits attribute release based on <md:RequestedAttribute> elements in SP metadata.

For Shib IdPs v2.4.3 and higher

Shib IdP v2.4.3 (and higher) can base policy decisions on arbitrary <md:RequestedAttribute> elements in SP metadata.

Release a Dynamic Subset of the R&S Bundle to All R&S SPs
Code Block
languagexml
<afp:AttributeFilterPolicy id="releaseDynamicSubsetToRandS">
  
  <afp:PolicyRequirementRule
      xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  
  < <!-- a fixed releasesubset ePPNof iffthe ePPNResearch is& listedScholarship inAttribute metadataBundle -->
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
 
  <!-- release ePTID iff either ePTID orof ePPN are listed in metadatais REQUIRED -->
  <afp:AttributeRule<AttributeRule attributeID="eduPersonTargetedIDeduPersonPrincipalName">
    <afp:PermitValueRule<PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/>
    </afp:PermitValueRule>ANY"/>
  </afp:AttributeRule>

  <!-- if your deployment of ePPN is non-reassigned, the above rule may be simplified or even commented out since release of ePTID is optionalOPTIONAL -->

  <!-- release mail iff mail is listed in metadata -->
  <afp:AttributeRule<AttributeRule attributeID="emaileduPersonTargetedID">
    <afp:PermitValueRule<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="falseANY"/>
  </afp:AttributeRule>

  <!-- release displayNameof iffemail displayName or (givenName + sn) are listed in metadatais REQUIRED -->
  <afp:AttributeRule<AttributeRule attributeID="displayNameemail">
    <afp:PermitValueRule<PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="basic:AND">
        <basic:Rule xsi:type="saml:AttributeInMetadata"
            attributeName="urn:oid:2.5.4.42"/>
        <basic:Rule xsi:type="saml:AttributeInMetadata"
            attributeName="urn:oid:2.5.4.4ANY"/>
      <basic:Rule xsi:type="basic:AND">
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- release givenName iff givenName or displayName are listed in metadata -->
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- release surname iff surname or displayName are listed in metadata -->
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- release ePSA iff ePSA is listed in metadata -->
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>

  <!-- since ePSA is OPTIONAL, the above rule may be commented out -->
 
</afp:AttributeFilterPolicy>

For Shib IdPs v2.4.0 and higher

Shib IdP v2.4.0 (and higher) can also base policy decisions on <md:RequestedAttribute> elements in SP metadata but with limited ability (compared to v2.4.3 and later).

Warning

The simple policy shown below satisfies the requirements of R&S if and only if 1) your deployment of eduPersonPrincipalName is non-reassigned, and 2) your deployment supports all three person name attributes (displayName, givenName, and surname).

The following configuration releases an R&S attribute from the minimal subset if and only if that attribute is called out in SP metadata:

Code Block
xmlxml
<afp:AttributeFilterPolicy id="releaseDynamicSubsetToRandS">
 
  <afp:PolicyRequirementRule
      xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
 
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
  <AttributeRule attributeID="displayName">
    <afp:PermitValueRule<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="falseANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule<AttributeRule attributeID="givenName">
    <afp:PermitValueRule<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="falseANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule<AttributeRule attributeID="surname">
    <afp:PermitValueRule<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="falseANY"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

See the Shib wiki for more information about type saml:AttributeInMetadata.

...

Release the R&S Bundle to R&S SPs Registered By InCommon Only

To release a subset of the R&S attribute bundle to R&S SPs registered by InCommon only, first note that entity metadata registered by InCommon includes the following extension element:

Code Block
languagexml
titleThe RegistrationInfo element in InCommon metadata
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
  <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
</md:Extensions>

The value of the registrationAuthority XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. The InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".

Using a 3rd-party plugin for Shibboleth IdP V2 (developed by the UK federation), an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:

Code Block
xmlxml
<afp:AttributeFilterPolicy id="releaseRandSBundleToInCommonSPs">
  
  <afp:PolicyRequirementRule xsi:type="basic:AND">
    <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship"/  <!-- release of ePSA is OPTIONAL -->
  <AttributeRule attributeID="eduPersonScopedAffiliation">
    <basic:Rule<PermitValueRule xsi:type="mdrpif:AttributeRequesterRegistrationAuthority"
        registrars="https://incommon.orgANY"/>
  </afp:PolicyRequirementRule>

  <!-- same attribute rules as in any of the previous examples -->

</afp:AttributeFilterPolicy>

For brevity, the <afp:AttributeRule> elements have been omitted from the previous example. See the examples in the previous sections for details.

...

AttributeRule>

</AttributeFilterPolicy>