...
To release less than the full R&S Attribute Bundle, or to restrict attribute release to a subset of R&S SPsin other ways, apply one or more of the advanced configurations documented in this section.
...
title | The consequences of restricted attribute release |
---|
...
.
Choose a Subset of the R&S Bundle
...
Choose one of the following pair of policies to release a subset of the R&S Attribute Bundle to requesters.
...
The following policy releases a dynamic subset of the R&S Attribute Bundle by limiting by filtering the actual release of attributes based on <md:RequestedAttribute>
elements in SP metadata.
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseDynamicSubsetRandSAttributeBundle"> <!-- insert the relevant PolicyRequirementRule here --> <!-- a dynamic subset of the Research & Scholarship Attribute Bundle --> <!-- release ePPN iff ePPN is listed in metadata --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- release ePTID iff either ePTID or ePPN are listed in metadata --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- if ePPN is non-reassigned, the above rule may be simplified or even commented out since ePTID is optional --> <!-- release mail iff mail is listed in metadata --> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- release displayName iff displayName or (givenName + sn) are listed in metadata --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="basic:AND"> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.5.4.42"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.5.4.4"/> <basic:Rule xsi:type="basic:AND"> </afp:PermitValueRule> </afp:AttributeRule> <!-- release givenName iff givenName or displayName are listed in metadata --> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.16.840.1.113730.3.1.241"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- release surname iff surname or displayName are listed in metadata --> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.16.840.1.113730.3.1.241"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- release ePSA iff ePSA is listed in metadata --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- since ePSA is OPTIONAL, the above rule may be commented out --> </afp:AttributeFilterPolicy> |
Visit the Shib Shibboleth wiki for more information about type saml:AttributeInMetadata
.
Choose the Target Group of R&S SPs
Warning |
---|
Note |
---|
The policy rules in this section implicitly release attributes for all users whereas an IdP that supports R&S is only required to release attributes for some subset of the IdP's user population. For example, an IdP may choose to release attributes for faculty and staff only, or perhaps for non-students. The Shibboleth wiki contains examples of such configurations, which could easily be incorporated into the these policies. |
| ||
Read the R&S Entity Metadata topic to fully understand the consequences of restricting attribute release to a proper subset of all R&S SPs. |
Release Attributes to All R&Release Attributes to All R&S SPs
The following pair of policy rules release attributes to all R&S SPs, including R&S SPs in other federations.
...
...