To support the Research and Scholarship Category, an IdP operator has at least two configuration options:
- Release the R&S attribute bundle to all R&S SPs, including R&S SPs in other federations
- Release the R&S attribute bundle to R&S SPs registered by InCommon only
Visit the parent page for basic info about the R&S Attribute Bundle. See the sections below for detailed configuration instructions.
Other IdP Configuration Options
More generally, an IdP may choose to release the Essential Attribute Bundle: If your deployment of eduPersonPrincipalName
is non-reassigned, and your IdP releases the Essential Attribute Bundle to all SPs, then your IdP supports the Research & Scholarship Category as a side effect, without further configuration.
Contents:
Software Requirements
To release attributes to all current and future R&S SPs with a one-time configuration, an IdP leverages entity attributes (instead of entity IDs). The configuration steps documented here require Shibboleth IdP V3, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy. No other SAML IdP software is known to support entity attributes at this time.
Optimize your IdP configuration
Testing IdP Support for R&S
Once you've configured your IdP, you can test your configuration using this test page, a service provided by the GENI Experimenter Portal, an official R&S SP.
Configure an IdP to Release R&S Attributes Globally
Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:
<!-- for Shibboleth IdP V3.2.0 or later --> <afp:AttributeFilterPolicy id="releaseRandSAttributeBundle"> <afp:PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <!-- release of ePPN is REQUIRED --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <!-- release of email is REQUIRED --> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> <!-- release of ePSA is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Configure an IdP to Release R&S Attributes Locally
An IdP that supports R&S locally is configured with a policy rule that releases the R&S Attribute Bundle to R&S SPs registered by InCommon only. To do this, an instance of Shibboleth IdP V3 leverages the Registered By InCommon Category and/or MD-RPI Elements as shown in the following pair of examples:
<!-- for Shibboleth IdP V3.2.0 or later --> <!-- policy relies on two entity attributes --> <afp:PolicyRequirementRule xsi:type="AND"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://id.incommon.org/category/registered-by-incommon"/> </afp:PolicyRequirementRule>
<!-- for Shibboleth IdP V3.2.0 or later --> <!-- policy relies on an entity attribute and the RegistrationInfo element --> <afp:PolicyRequirementRule xsi:type="AND"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <Rule xsi:type="RegistrationAuthority" registrars="https://incommon.org"/> </afp:PolicyRequirementRule>
Note that the registrars
XML attribute takes a space-separated list of registrar IDs and therefore the previous configuration is more flexible.