Versions Compared

Old Version 98

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 99

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To release less than the full R&S Attribute Bundle, or to restrict attribute release to a subset of R&S SPsin other ways, apply one or more of the advanced configurations documented in this section.

...

titleThe consequences of restricted attribute release

...

.

Choose a Subset of the R&S Bundle

...

Choose one of the following pair of policies to release a subset of the R&S Attribute Bundle to requesters.

...

The following policy releases a dynamic subset of the R&S Attribute Bundle by limiting by filtering the actual release of attributes based on <md:RequestedAttribute> elements in SP metadata.

Code Block
languagexml
titleA Shib IdP config that releases a dynamic subset of the R&S bundle
<afp:AttributeFilterPolicy id="releaseDynamicSubsetRandSAttributeBundle">
  
  <!-- insert the relevant PolicyRequirementRule here -->

  <!-- a dynamic subset of the Research & Scholarship Attribute Bundle -->
  
  <!-- release ePPN iff ePPN is listed in metadata -->
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>

  <!-- release ePTID iff either ePTID or ePPN are listed in metadata -->
  <afp:AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/>
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- if ePPN is non-reassigned, the above rule may be simplified or even commented out since ePTID is optional -->

  <!-- release mail iff mail is listed in metadata -->
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>

  <!-- release displayName iff displayName or (givenName + sn) are listed in metadata -->
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="basic:AND">
        <basic:Rule xsi:type="saml:AttributeInMetadata"
            attributeName="urn:oid:2.5.4.42"/>
        <basic:Rule xsi:type="saml:AttributeInMetadata"
            attributeName="urn:oid:2.5.4.4"/>
      <basic:Rule xsi:type="basic:AND">
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- release givenName iff givenName or displayName are listed in metadata -->
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- release surname iff surname or displayName are listed in metadata -->
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:OR">
      <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
      <basic:Rule xsi:type="saml:AttributeInMetadata"
          attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
    </afp:PermitValueRule>
  </afp:AttributeRule>

  <!-- release ePSA iff ePSA is listed in metadata -->
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>

  <!-- since ePSA is OPTIONAL, the above rule may be commented out -->
 
</afp:AttributeFilterPolicy>

Visit the Shib Shibboleth wiki for more information about type saml:AttributeInMetadata.

Choose the Target Group of R&S SPs

Warning
Note
The policy rules in this section implicitly release attributes for all users whereas an IdP that supports R&S is only required to release attributes for some subset of the IdP's user population. For example, an IdP may choose to release attributes for faculty and staff only, or perhaps for non-students. The Shibboleth wiki contains examples of such configurations, which could easily be incorporated into the these policies.
titleThe consequences of restricted attribute release
Read the R&S Entity Metadata topic to fully understand the consequences of restricting attribute release to a proper subset of all R&S SPs.

Release Attributes to All R&Release Attributes to All R&S SPs

The following pair of policy rules release attributes to all R&S SPs, including R&S SPs in other federations.

...

 

Note
titleThe Registered By InCommon Category
A new entity category called the Registered by InCommon Category is being considered. The following configuration example illustrates how this category is intended to be used.. The following configuration example illustrates how this category is intended to be used.

For Shibboleth IdP V2, release attributes to R&S SPs registered by InCommon as follows:

Code Block
languagexml
titleA Shib IdP V2 rule that releases attributes to R&S SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule>

Choose the Target User Population

The policy rules in the previous sections implicitly release attributes for all users whereas an IdP that supports R&S is only required to release attributes for some subset of the IdP's user population. For example, an IdP may choose to release attributes for faculty and staff only, or perhaps for non-students.

Release Attributes for Non-Students

The following pair of policy rules release attributes for non-students to all R&S SPs.

For Shib IdP v3.0.0 and higher

For Shibboleth IdP V3, release attributes for non-students to all R&S SPs:

Code Block
languagexml
titleA Shib IdP V3 rule that releases attributes for non-students to all R&S SPs
<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:EntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  <basic:Rule xsi:type="basic:NOT">
    <basic:Rule xsi:type="basic:AttributeValueString"
        attributeID="eduPersonAffiliation" value="student" ignoreCase="true"/>
  </basic:Rule>
</afp:PolicyRequirementRule>
For Shib IdPs prior to v3.0.0

For Shibboleth IdP V2, release attributes to Rfor non-students to all R&S SPs registered by InCommon as follows:

Code Block
languagexml
titleA Shib IdP V2 rule that releases attributes for non-students to all R&S SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
-scholarship"/>
  <basic:Rule xsi:type="basic:NOT">
    <basic:Rule xsi:type="samlbasic:AttributeRequesterEntityAttributeExactMatchAttributeValueString"
        attributeNameattributeID="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/registered-by-incommon"/>eduPersonAffiliation" value="student" ignoreCase="true"/>
  </basic:Rule>
</afp:PolicyRequirementRule>

 

...