Versions Compared

Old Version 74

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 75

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The value of the registrationAuthority XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. The For example, the InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".

For Shib IdPs v3.0.0 and higher

Using Shibboleth IdP V3, "https://incommon.org"an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:

Code Block
xml
xml
<afp:AttributeFilterPolicy id="releaseRandSBundleToInCommonSPs">
  
  <afp:PolicyRequirementRule xsi:type="basic:AND">
    <basic:Rule xsi:type="saml:EntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship"/>
    <basic:Rule xsi:type="saml:RegistrationAuthority"
        registrars="https://incommon.org"/>
  </afp:PolicyRequirementRule>

  <!-- attribute rules here -->

</afp:AttributeFilterPolicy>

For brevity, the <afp:AttributeRule> elements have been omitted from the previous example. Any compatible rule set from a previous section may be used.

Note

The registrars XML attribute in the previous example takes a space-separated list of registrar IDs and can therefore be generalized to include other registrars, either in InCommon or in other federations.

Info
titleThe Registered By InCommon Category

A new entity category called the Registered by InCommon Category is being considered. If such a category were implemented, the plugin mentioned in the next example would become unnecessary.

For Shib IdPs v2.3.4 and higher

Using a 3rd-party plugin for Shibboleth IdP V2 (developed by the UK federation), an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:

Code Block
xml
xml
<afp:AttributeFilterPolicy id="releaseRandSBundleToInCommonSPs">
  
  <afp:PolicyRequirementRule xsi:type="basic:AND">
    <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship"/>
    <basic:Rule xsi:type="mdrpif:AttributeRequesterRegistrationAuthority"
        registrars="https://incommon.org"/>
  </afp:PolicyRequirementRule>

  <!-- same attribute rules as in any of the previous examples here -->

</afp:AttributeFilterPolicy>

For brevityAs above, the <afp:AttributeRule> elements have been omitted from the previous example. See the examples in the previous sections for details.  Any compatible rule set from a previous section may be used.