...
Anchor | ||||
---|---|---|---|---|
|
Basic
...
For Shib IdP v3.0.0 and higher
...
Configuration
Configure a Shibboleth IdP to release
...
the R&S
...
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle">
<afp:PolicyRequirementRule xsi:type="saml:EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- release of ePSA is OPTIONAL -->
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
...
Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle"> <!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead --> <afp<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- release of ePSA is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
Advanced
...
Configuration
Choose a Subset of the R&S Bundle to Release
...
The following pair of policy rules release attributes to all R&S SPs, including R&S SPs in other federations.
For Shib IdP v3.0.0 and higher
For Shibboleth IdP V3, release attributes to all R&S SPs as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:PolicyRequirementRule xsi:type="saml:EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> |
For Shib IdPs prior to v3.0.0
For Shibboleth IdP V2, release attributes to all R&S SPs as follows:
...
The value of the registrationAuthority
XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. For example, the InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".
For Shib IdP v3.0.0 and higher
For Shibboleth IdP V3, release attributes to R&S SPs registered by InCommon as follows:
...
Info |
---|
The registrars XML attribute in the previous example takes a space-separated list of registrar IDs and can therefore be generalized to include other registrars, either in InCommon or in other federations. |
For Shib IdPs prior to v3.0.0
...