Versions Compared

Old Version 1

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user David Walker (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note
titleDeprecated

Note that this page has been deprecated; the information they contain is no longer current. The page has been retained for historical purposes only.

This page shows how to configure a Shibboleth IdP to release the Essential Attribute Bundle.

Contents:

Table of Contents
minLevel2

Release the Essential Attribute Bundle to Any SP

...

It is straightforward to configure a Shibboleth IdP to release directory information the Essential Attribute Bundle to any SP:

Code Block
languagexmlxml
titleRelease the Essential Attribute Bundle to Any SP
<afp:AttributeFilterPolicy
<AttributeFilterPolicy id="releaseToAnyonereleaseEssentialAttributesToAnySP">

  <PolicyRequirementRule<afp:PolicyRequirementRule xsi:type="basic:ANY"/>

 <AttributeRule <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule<afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <AttributeRule<afp:AttributeRule attributeID="email">
    <PermitValueRule<afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <AttributeRule<afp:AttributeRule attributeID="displayName">
    <PermitValueRule<afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <AttributeRule<afp:AttributeRule attributeID="givenName">
    <PermitValueRule<afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <AttributeRule<afp:AttributeRule attributeID="surNamesurname">
    <PermitValueRule<afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

To release some other set of directory information, simply customize the above example to match your policy

To restrict attribute release to SPs in the InCommon Federation, replace the <PolicyRequirementRule> above with the following rule:

 Note
titleAn Important Consequence of Releasing the Essential Attribute Bundle
If your deployment of eduPersonPrincipalName is non-reassigned, the above attribute release policy supports the Research & Scholarship Category as a side effect, without further configuration. If your deployment of eduPersonPrincipalName is reassigned, simply add the eduPersonTargetedID attribute to the above attribute release policy to meet the minimal requirements of the Research & Scholarship Category.
For Shib IdP v2.4.0 (and higher), an optimization is possible. The following configuration releases an attribute in the Essential Attribute Bundle if and only if that attribute is called out in SP metadata:
 Code Block
languagexml
titleRelease the Essential Attribute Bundle to Any SP Only If Requested
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySPIfRequested">

  <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule 
 Code Block
xmlxml

<PolicyRequirementRule
   xsi:type="saml:AttributeRequesterInEntityGroup"
   groupID="urn:mace:incommon"/>

...
AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Release the Essential Attribute Bundle to SPs Registered by InCommon
The following pair of policy rules release attributes to SPs registered by InCommon only. These policies are based on the following extension element in InCommon metadata:
 Code Block
languagexml
titleThe RegistrationInfo element in InCommon metadata
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
  <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
</md:Extensions>
The value of the registrationAuthority XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. For example, the InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".
For Shib IdP v3.0.0 and higher
For Shibboleth IdP V3, release attributes to SPs registered by InCommon as follows:
 Code Block
languagexml
titleA Shib IdP V3 rule that releases attributes to SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="saml:RegistrationAuthority"
    registrars="https://incommon.org"/>
 Info
The registrars XML attribute in the previous example takes a space-separated list of registrar IDs and can therefore be generalized to include other registrars, either in InCommon or in other federations.
For Shib IdPs prior to v3.0.0
For Shibboleth IdP V2, release attributes to SPs registered by InCommon as follows:
 Code Block
languagexml
titleA Shib IdP V2 rule that releases attributes to SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
    attributeName="http://macedir.org/entity-category"
    attributeValue="http://id.incommon.org/category/registered-by-incommon"/>