...
Release a Fixed Subset of the R&S Bundle
An IdP may support R&S by releasing at least the minimal subset of the R&S attribute bundle to all R&S SPs. Both examples in this section illustrate such a configuration.
Anchor | ||||
---|---|---|---|---|
|
For Shib IdPs v2.3.4 and higher
...
To release some other subset of the R&S bundle, simply customize the above example to match your policy. An IdP that fully supports R&S will release at least the minimal subset of the R&S attribute bundle.
Anchor | ||||
---|---|---|---|---|
|
For Shib IdPs prior to v2.3.4
...
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://carmenwiki.osu.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://filesender.internet2.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://wikispaces.psu.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.indianactsi.org" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cilogon.org/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cgca.phys.uwm.edu/shibboleth-sp" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://panther.gpolab.bbn.com/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://ligo.org/ligovirgo/cbcnote/shibboleth-sp" /> <!-- etc. --> </PolicyRequirementRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy> |
Modify the script to release some other subset of the R&S attribute bundle according to policy.
Release a Dynamic Subset of the R&S Bundle
To dynamically release a subset of the R&S bundle to each R&S SP on an SP-by-SP basis, configure a new <AttributeFilterPolicy>
element that refers to the R&S entity attribute but limits attribute release to the <md:RequestedAttribute>
elements in SP metadata. This leads to requires the following two-step configuration process:
...
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeFilterPolicy id="releaseToRandS" xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf"> <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://id.incommon.org/category/research-and-scholarship"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> </AttributeFilterPolicy> |
The attributes shown above constitute a maximal subset of the R&S bundle. Simply customize the above example to match your policy.
Attachments |
---|