Versions Compared

Old Version 14

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user David Walker (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note
titleDeprecated

Note that this page has been deprecated; the information they contain is no longer current. The page has been retained for historical purposes only.

This page shows how to configure a Shibboleth IdP to release the Essential Attribute Bundle.

Contents:

Table of Contents
minLevel2

...

Code Block
languagexml
titleRelease the Essential Attribute Bundle to Any SP Only If Requested
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySPIfRequested">

  <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Release the Essential Attribute Bundle to

...

SPs Registered by InCommon

...

The following pair of policy rules release attributes to SPs Entity metadata registered by InCommon includes an extension element like the following only. These policies are based on the following extension element in InCommon metadata:

Code Block
languagexml
titleThe RegistrationInfo element in InCommon metadata
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
   <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
</md:Extensions>

The value of the the registrationAuthority XML  XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. The For example, the InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".

For Shib IdP v3.0.0 and higher

For Shibboleth IdP V3, release attributes Using a 3rd-party plugin for Shibboleth IdP V2 (developed by the UK federation), an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:

Code Block
languagexml
titleRelease the Essential Attribute Bundle to Any InCommon SPA Shib IdP V3 rule that releases attributes to SPs registered by InCommon
<afp:<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnyInCommonSP">

  <afp:PolicyRequirementRule xsi:type="mdrpifsaml:AttributeRequesterRegistrationAuthorityRegistrationAuthority"
      registrars="https://incommon.org"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule
Info
The registrars XML attribute in the previous example takes a space-separated list of registrar IDs and can therefore be generalized to include other registrars, either in InCommon or in other federations.
For Shib IdPs prior to v3.0.0

For Shibboleth IdP V2, release attributes to SPs registered by InCommon as follows:

Code Block
languagexml
titleA Shib IdP V2 rule that releases attributes to SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="

...

saml:

...

AttributeRequesterEntityAttributeExactMatch"

...

...

...

attributeName="

...

http://macedir.org/entity-category"

...

attributeValue="

...

http:

...

/

...

/id.incommon.org/category/registered-by-incommon"/>