...
Release a Fixed Subset of the R&S Bundle
An IdP may support R&S by releasing at least the minimal subset of the R&S attribute bundle to all R&S SPs. Both examples in this section illustrate such a configuration.
| Anchor | ||||
|---|---|---|---|---|
|
For Shib IdPs v2.3.4 and higher
...
To release some other subset of the R&S bundle, simply customize the above example to match your policy. An IdP that fully supports R&S will release at least the minimal subset of the R&S attribute bundle.
| Anchor | ||||
|---|---|---|---|---|
|
For Shib IdPs prior to v2.3.4
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AttributeFilterPolicy id="releaseToRandS">
<PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://carmenwiki.osu.edu/shibboleth" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://filesender.internet2.edu/shibboleth" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://wikispaces.psu.edu/shibboleth" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.indianactsi.org" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cilogon.org/shibboleth" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cgca.phys.uwm.edu/shibboleth-sp" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://panther.gpolab.bbn.com/shibboleth" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://ligo.org/ligovirgo/cbcnote/shibboleth-sp" />
<!-- etc. -->
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="surName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
|
Modify the script to release some other subset of the R&S attribute bundle according to policy.
Release a Dynamic Subset of the R&S Bundle
To dynamically release a subset of the R&S bundle to each R&S SP on an SP-by-SP basis, configure a new <AttributeFilterPolicy> element that refers to the R&S entity attribute but limits attribute release to the <md:RequestedAttribute> elements in SP metadata. This leads to requires the following two-step configuration process:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AttributeFilterPolicy id="releaseToRandS" xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf">
<PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/research-and-scholarship"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="surName">
<PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
</AttributeFilterPolicy>
|
The attributes shown above constitute a maximal subset of the R&S bundle. Simply customize the above example to match your policy.
| Attachments |
|---|