...
The value of the registrationAuthority
XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. The For example, the InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".
For Shib IdPs v3.0.0 and higher
Using Shibboleth IdP V3, "https://incommon.org"an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseRandSBundleToInCommonSPs">
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<basic:Rule xsi:type="saml:RegistrationAuthority"
registrars="https://incommon.org"/>
</afp:PolicyRequirementRule>
<!-- attribute rules here -->
</afp:AttributeFilterPolicy> |
For brevity, the <afp:AttributeRule>
elements have been omitted from the previous example. Any compatible rule set from a previous section may be used.
Note |
---|
The |
Info | ||
---|---|---|
| ||
A new entity category called the Registered by InCommon Category is being considered. If such a category were implemented, the plugin mentioned in the next example would become unnecessary. |
For Shib IdPs v2.3.4 and higher
Using a 3rd-party plugin for Shibboleth IdP V2 (developed by the UK federation), an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseRandSBundleToInCommonSPs"> <afp:PolicyRequirementRule xsi:type="basic:AND"> <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <basic:Rule xsi:type="mdrpif:AttributeRequesterRegistrationAuthority" registrars="https://incommon.org"/> </afp:PolicyRequirementRule> <!-- same attribute rules as in any of the previous examples here --> </afp:AttributeFilterPolicy> |
For brevityAs above, the <afp:AttributeRule>
elements have been omitted from the previous example. See the examples in the previous sections for details. Any compatible rule set from a previous section may be used.