...
| Anchor | ||||
|---|---|---|---|---|
|
Basic R&S Configuration
Configure an IdP to Release Attributes Globally
Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle">
<!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead -->
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<!-- release of ePSA is OPTIONAL -->
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
Configure an IdP to Release Attributes Locally
This section is for existing R&S IdPs that want to continue to release attributes to RA minor modification to the above configuration is required to release the R&S attribute bundle to R&S SPs registered by InCommon only.
| Info | ||
|---|---|---|
| ||
Here is the timeline for implementing the Registered By InCommon Category:
Since most deployments consume the main production aggregate, April 24th is the date to remember. |
An IdP that supports R&S locally is configured with a policy rule that releases the R&S Attribute Bundle to R&S SPs registered by InCommon only. To do this, an instance of Shibboleth IdP V2 leverages the Registered By InCommon Category as follows:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule> |
An instance of Shibboleth IdP V3 leverages either the registered-by-incommon entity attribute (as above) or the <mdrpi:RegistrationInfo> element in metadata directly, as shown in the following example:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<basic:Rule xsi:type="saml:RegistrationAuthority"
registrars="https://incommon.org"/>
</afp:PolicyRequirementRule> |
Note that the registrars XML attribute takes a space-separated list of registrar IDs and therefore the previous configuration is most flexible.
Advanced R&S Configuration
To release less than the full R&S Attribute Bundle, or to restrict attribute release in other ways, apply one or more of the advanced configurations documented in this section.
...