...
Anchor | ||||
---|---|---|---|---|
|
Basic R&S Configuration
Configure an IdP to Release Attributes Globally
Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle"> <!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead --> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- release of ePSA is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
Configure an IdP to Release Attributes Locally
This section is for existing R&S IdPs that want to continue to release attributes to RA minor modification to the above configuration is required to release the R&S attribute bundle to R&S SPs registered by InCommon only.
Info | ||
---|---|---|
| ||
Here is the timeline for implementing the Registered By InCommon Category:
Since most deployments consume the main production aggregate, April 24th is the date to remember. |
An IdP that supports R&S locally is configured with a policy rule that releases the R&S Attribute Bundle to R&S SPs registered by InCommon only. To do this, an instance of Shibboleth IdP V2 leverages the Registered By InCommon Category as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule> |
An instance of Shibboleth IdP V3 leverages either the registered-by-incommon
entity attribute (as above) or the <mdrpi:RegistrationInfo>
element in metadata directly, as shown in the following example:
Code Block | ||||
---|---|---|---|---|
| ||||
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<basic:Rule xsi:type="saml:RegistrationAuthority"
registrars="https://incommon.org"/>
</afp:PolicyRequirementRule> |
Note that the registrars
XML attribute takes a space-separated list of registrar IDs and therefore the previous configuration is most flexible.
Advanced R&S Configuration
To release less than the full R&S Attribute Bundle, or to restrict attribute release in other ways, apply one or more of the advanced configurations documented in this section.
...