Releasing Directory Information
It is straightforward to configure a Shibboleth IdP to release directory information to any SP:
<AttributeFilterPolicy id="releaseToAnySP"> <PolicyRequirementRule xsi:type="basic:ANY"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy>
The above example intentionally releases a subset of the R&S attribute bundle so that the policy configuration supports R&S. To release some other set of directory information, simply customize the above example to match your policy.
To restrict attribute release to SPs in the InCommon Federation, replace the <PolicyRequirementRule>
above with a more restrictive rule:
<AttributeFilterPolicy id="releaseToAnyInCommonSP"> <PolicyRequirementRule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:incommon"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy>
Of course more complex policies are possible; these simple examples are meant to get you started in the right direction. More examples will be found in the Shibboleth wiki.