Note | ||
---|---|---|
| ||
Note that this page has been deprecated; the information they contain is no longer current. The page has been retained for historical purposes only. |
This page shows how to configure a Shibboleth IdP to release the Essential Attribute Bundle.
Contents:
Table of Contents | ||
---|---|---|
|
...
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySPIfRequested"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
Release the Essential Attribute Bundle to
...
SPs Registered by InCommon
...
The following pair of policy rules release attributes to SPs Entity metadata registered by InCommon includes an extension element like the following only. These policies are based on the following extension element in InCommon metadata:
Code Block | ||||
---|---|---|---|---|
| ||||
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"> <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/> </md:Extensions> |
The value of the the registrationAuthority
XML XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. The For example, the InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".
For Shib IdP v3.0.0 and higher
For Shibboleth IdP V3, release attributes Using a 3rd-party plugin for Shibboleth IdP V2 (developed by the UK federation), an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:
Code Block | |||||
---|---|---|---|---|---|
| |||||
<afp:<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnyInCommonSP"> <afp:PolicyRequirementRule xsi:type="mdrpifsaml:AttributeRequesterRegistrationAuthorityRegistrationAuthority" registrars="https://incommon.org"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule |
Info |
---|
The registrars XML attribute in the previous example takes a space-separated list of registrar IDs and can therefore be generalized to include other registrars, either in InCommon or in other federations. |
For Shib IdPs prior to v3.0.0
...
...
...
...
...
...
...
...
...
...