The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

To support the Research and Scholarship Category, an IdP has at least two options:

  1. Release a fixed subset of the R&S attribute bundle (or the R&S bundle itself) to all R&S SPs
  2. Release a dynamic subset of the R&S attribute bundle to each R&S SP on an SP-by-SP basis

The Shibboleth IdP software supports the first option out-of-the-box. The second option requires a special plugin at the Shibboleth IdP.

An IdP relies on entity attributes (instead of entity IDs) to support R&S. Thus the configuration steps documented here require Shibboleth IdP v2.3.4 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy. (No other IdP software is known to support entity attributes at this time.)

Shib IdP v2.3.4

Shibboleth IdP v2.3.4 was released on October 27, 2011. For IdPs prior to v2.3.4, InCommon provides a tool that filters InCommon metadata into an explicit <AttributeFilterPolicy> element for R&S SPs.

Release a Fixed Subset of the R&S Bundle

To release a fixed subset of the R&S bundle (or the R&S bundle itself), configure a new <AttributeFilterPolicy> element that refers to the R&S entity attribute. The following example releases a subset of the R&S bundle to all R&S SPs:

<AttributeFilterPolicy id="releaseToRandS">

  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://id.incommon.org/attribute/entity/category"
      attributeValue="http://id.incommon.org/category/research-and-scholarship"/>

  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
</AttributeFilterPolicy>

To release some other subset of the R&S bundle, simply customize the above example as desired.

Release a Dynamic Subset of the R&S Bundle

To release a dynamic subset of the R&S bundle to each R&S SP on an SP-by-SP basis, configure a new <AttributeFilterPolicy> element that refers to the R&S entity attribute but limits attribute release to the <md:RequestedAttribute> elements in SP metadata. This leads to the following two-step configuration process:

  1. Install and configure a general-purpose plugin that limits attribute release to the <md:RequestedAttribute> elements in SP metadata.
  2. Configure a new <AttributeFilterPolicy> element for R&S SPs.

These two configuration steps taken together constrain the release of attributes to precisely those attributes requested by R&S SPs (assuming those attributes constitute a subset of the R&S bundle).

Install and Configure the Plugin

The uApprove addon to the Shibboleth IdP includes a plugin that limits attribute release to the <md:RequestedAttribute> elements in SP metadata.

uApprove

The uApprove addon is not required to release attributes to R&S SPs. The steps below do not install uApprove but rather a plugin included in the uApprove package.

To install and configure the plugin, perform the following steps:

  1. Download and unpack the uApprove package
  2. Copy the IdP plugin to your IdP build directory:
    $ cp $UAPPROVE_INSTALL$/idp-plugin-2.2.1/lib/* $IDP_INSTALL$/lib/
  3. Rebuild the IdP
  4. Add the namespace declaration xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf" to the <AttributeFilterPolicy> element (or better yet, to the parent <AttributeFilterPolicyGroup> element).
  5. Add the following at the end of the whitespace delimited list of values for the xsi:schemaLocation attribute:http://www.switch.ch/aai/idp/uApprove/mf classpath:/schema/uApprove-mf.xsd.

The plugin adds a new PermitValueRule of type ua:AttributeInMetadata.

Configure a New AttributeFilterPolicy

The following IdP configuration implicitly releases attributes to any R&S SP. An attribute is released if and only if it is listed in SP metadata.

<AttributeFilterPolicy id="releaseToRandS" xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf">

  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://id.incommon.org/attribute/entity/category"
      attributeValue="http://id.incommon.org/category/research-and-scholarship"/>

  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="surName">
    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
</AttributeFilterPolicy>
  File Modified
No files shared here yet.
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels