The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Releasing Directory Information

It is straightforward to configure a Shibboleth IdP to release directory information to any SP:

<AttributeFilterPolicy id="releaseToAnySP">

  <PolicyRequirementRule xsi:type="basic:ANY"/>

  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
</AttributeFilterPolicy>

The above example intentionally releases a subset of the R&S attribute bundle so that the policy configuration supports R&S. To release some other set of directory information, simply customize the above example to match your policy.

To restrict attribute release to SPs in the InCommon Federation, replace the <PolicyRequirementRule> above with a more restrictive rule:

<AttributeFilterPolicy id="releaseToAnyInCommonSP">

  <PolicyRequirementRule xsi:type="saml:AttributeRequesterInEntityGroup"
      groupID="urn:mace:incommon"/>

  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
</AttributeFilterPolicy>

For Shib IdP v2.4.0 (and higher), an optimization is possible. The following configuration releases one of the listed attributes to an InCommon SP if and only if that attribute is called out in SP metadata:

<AttributeFilterPolicy id="releaseMinimalToAnyInCommonSP">
 
  <PolicyRequirementRule
      xsi:type="saml:AttributeRequesterInEntityGroup"
      groupID="urn:mace:incommon"/>
 
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>

</AttributeFilterPolicy>

Of course more complex policies are possible; these simple examples are meant to get you started in the right direction. More examples will be found in the Shibboleth wiki.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels