Versions Compared

Old Version 87

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user Dean Woodbeck (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Div
stylefloat:right;margin-left:1em;margin-bottom:1ex
Note

Declare your support for R&S now!

To support the Research and Scholarship Category, an IdP has at least two options:

...

operator configures the IdP to release the R&S attribute bundle

...

Visit the parent page for basic info about the R&S Attribute Bundle. See the sections below for detailed configuration instructions.

...

titleOther Deployment Options

...

to

...

all

...

Once you've configured your IdP to release attributes to all R&S SPs (both present and future) as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.)

Contents:

Table of Contents
minLevel2

Anchor
software-reqs
software-reqs

Software Requirements

To release attributes to all current and future R&S SPs with a single one-time configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the The configuration steps documented here require Shibboleth IdP v2.3.4 or laterIdP V3, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.

The configurations based on entity attributes in the following sections are one-time configurations.

Note: The attribute filter policies shown in the following sections are based on an exact match of an entity attribute. In the Shibboleth IdP, an attribute filter policy may be based on a regex match of an entity attribute as well.

Info
titleSupport for Shib IdPs prior to v2.3.4

For Shibboleth IdPs prior to v2.3.4 (which was released on October 27, 2011), InCommon provides an XSLT script that filters InCommon metadata into an explicit <afp:AttributeFilterPolicy> element for R&S SPs. See the Filtering Metadata for Entity Attributes child page.

No other SAML IdP software is known to support entity attributes at this time.

...

No other SAML IdP software is known to support entity attributes at this time.

Tip
titleOptimize your IdP configuration
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.
Tip
titleTesting IdP Support for R&S

Once you've configured your IdP, you can test your configuration using this test page, a service provided by the GENI Experimenter Portal, an official R&S SP.

Anchor
global-attribute-release
global-attribute-release

Configure an IdP to Release R&S Attributes Globally

Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:

...

Choose a Subset of the R&S Bundle to Release

The following pair of policies release a subset of the R&S Attribute Bundle to requesters.

Release a Fixed Subset of the R&S Bundle

The following policy releases a fixed subset of the R&S Attribute Bundle to requesters.

Code Block
languagexml
titleA Shib IdP config that releases a fixed subset of the R&S bundle to ALL R&S SPs
<<afp:AttributeFilterPolicy id="releaseFixedSubsetRandSAttributeBundle">

  <!-- insertfor theShibboleth relevant PolicyRequirementRule here -->

  <!-- a fixed subset of the Research & Scholarship Attribute Bundle --IdP V3.2.0 or later -->
 
  <afp:AttributeRule attributeID<AttributeFilterPolicy id="eduPersonPrincipalNamereleaseRandSAttributeBundle">
 
  <PolicyRequirementRule  <afp:PermitValueRule xsi:type="basic:ANYEntityAttributeExactMatch"/>
  </afp:AttributeRule>

  <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
  <afp:AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
  <afp:AttributeRule attributeID="displayName"> attributeName="http://macedir.org/entity-category"
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <!-- release of ePSA is OPTIONAL -->
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

...

Release a Dynamic Subset of the R&S Bundle

The following policy releases a dynamic subset of the R&S Attribute Bundle by limiting the actual release of attributes based on <md:RequestedAttribute> elements in SP metadata.

Code Block
languagexml
titleA Shib IdP config that releases a dynamic subset of the R&S bundle
<afp:AttributeFilterPolicy id="releaseDynamicSubsetRandSAttributeBundle">
  
  <!-- insert the relevant PolicyRequirementRule here -->

  < attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- a dynamicfixed subset of the Research & Scholarship Attribute Bundle -->
   
  <!-- release ePPN iffof ePPN is listedREQUIRED in metadata -->
  <afp:AttributeRule<AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"ANY"/>
  </afp:AttributeRule>

  <!-- releaseif your ePTIDdeployment iffof eitherePPN ePTID or ePPN are listed in metadatais non-reassigned, release of ePTID is OPTIONAL -->
  <afp:AttributeRule<AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule<PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/>
    </afp:PermitValueRule>ANY"/>
  </afp:AttributeRule>

  <!-- if ePPN is non-reassigned, the above rule may be simplified or even commented out since ePTID is optional -->

  <!-- release mail iff mail is listed in metadata release of email is REQUIRED -->
  <afp:AttributeRule<AttributeRule attributeID="email">
    <afp:PermitValueRule<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="falseANY"/>
  </afp:AttributeRule>

  <!-- releaseeither displayName iff displayName or (givenName +and sn) are listed in metadatais REQUIRED but all three are RECOMMENDED -->
  <afp:AttributeRule<AttributeRule attributeID="displayName">
    <afp:PermitValueRule<PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="basic:AND">
        <basic:Rule xsi:type="saml:AttributeInMetadata"
            attributeName="urn:oid:2.5.4.42"/>
        <basic:Rule xsi:type="saml:AttributeInMetadata"
            attributeName="urn:oid:2.5.4.4"/>
      <basic:Rule xsi:type="basic:AND">
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- release givenName iff givenName or displayName are listed in metadata -->
  <afp:AttributeRule ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <afp:PermitValueRule<PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:2.16.840.1.113730.3.1.241"ANY"/>
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- release surname iff surname or displayName are listed in metadata -->
  <afp:AttributeRule <AttributeRule attributeID="surname">
    <afp:PermitValueRule<PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
    </afp:PermitValueRule>
  </afp:ANY"/>
  </AttributeRule>

  <!-- release ePSA iffof ePSA is listed inOPTIONAL metadata -->
  <afp:AttributeRule<AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"ANY"/>
  </afp:AttributeRule>

  <!-- since ePSA is OPTIONAL, the above rule may be commented out -->
 
</afp:AttributeFilterPolicy>

See the Shib wiki for more information about type saml:AttributeInMetadata.

Choose the Target Subset of R&S SPs

Note: The policies in this section release the Research & Scholarship Attribute Bundle for all users whereas an IdP that supports R&S is only required to release attributes for some subset of the IdP's user population. For example, an IdP may choose to release attributes for faculty and staff only, or perhaps for non-students. The Shibboleth wiki contains examples of such configurations, which could easily be incorporated into the these policies.

Release the R&S Bundle to All R&S SPs

The following pair of policies release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations.

For Shib IdPs v3.0.0 and higher

For Shibboleth IdP V3, release the R&S Attribute Bundle to all R&S SPs as follows:

Code Block
languagexml
titleA Shib IdP V3 config that releases attributes to ALL R&S SPs
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle">

  <afp:PolicyRequirementRule xsi:type="saml:EntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- insert rules for the Research & Scholarship Attribute Bundle here -->

</afp:AttributeFilterPolicy>

For Shib IdPs prior to v3.0.0

For Shibboleth IdP V2, release the R&S Attribute Bundle to all R&S SPs as follows:

Code Block
languagexml
titleA Shib IdP V2 config that releases attributes to ALL R&S SPs
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle">

  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- insert rules for the Research & Scholarship Attribute Bundle here -->

</afp:AttributeFilterPolicy>

...

Release the R&S Bundle to R&S SPs Registered by InCommon

To release a subset of the R&S attribute bundle to R&S SPs registered by InCommon only, first note that entity metadata registered by InCommon includes the following extension element:

Code Block
languagexml
titleThe RegistrationInfo element in InCommon metadata
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
  <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
</md:Extensions>

The value of the registrationAuthority XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. For example, the InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".

The following pair of policies release the R&S Attribute Bundle to R&S SPs registered by InCommon only.

For Shib IdPs v3.0.0 and higher

For Shibboleth IdP V3, release the R&S Attribute Bundle to R&S SPs registered by InCommon as follows:

Code Block
languagexml
titleA Shib IdP V3 config that releases attributes to R&S SPs registered by InCommon
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle">

  <afp:PolicyRequirementRule xsi:type="basic:AND">
    <basic:Rule xsi:type="saml:EntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship"/>
    <basic:Rule xsi:type="saml:RegistrationAuthority"
        registrars="https://incommon.org"/>
  </afp:PolicyRequirementRule>
  
  <!-- insert rules for the Research & Scholarship Attribute Bundle here -->

</afp:AttributeFilterPolicy>
Info
The registrars XML attribute in the previous example takes a space-separated list of registrar IDs and can therefore be generalized to include other registrars, either in InCommon or in other federations.

For Shib IdPs prior to v3.0.0

Note
titleThe Registered By InCommon Category
A new entity category called the Registered by InCommon Category is being considered. The following configuration example illustrates how that category might be used.

For Shibboleth IdP V2, release the R&S Attribute Bundle to R&S SPs registered by InCommon as follows:

Code Block
languagexml
titleA Shib IdP V2 config that releases attributes to R&S SPs registered by InCommon
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle">

  <afp:PolicyRequirementRule xsi:type="basic:AND">
    <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship"/>
    <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
  </afp:PolicyRequirementRule>
  
  <!-- insert rules for the Research & Scholarship Attribute Bundle here -->

</afp:AttributeFilterPolicy>