The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Release the Essential Attribute Bundle to Any SP

It is straightforward to configure a Shibboleth IdP to release the Essential Attribute Bundle to any SP:

Release the Essential Attribute Bundle to Any SP
<afp:AttributeFilterPolicy id="releaseEssentialAttributeBundleToAnySP">

  <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

An Important Consequence of Releasing the Essential Attribute Bundle

If your deployment of eduPersonPrincipalName is non-reassigned, the above attribute release policy supports the Research & Scholarship Category as a side effect, without further configuration. If your deployment of eduPersonPrincipalName is reassigned, simply add the eduPersonTargetedID attribute to the above attribute release policy to meet the minimal requirements of the Research & Scholarship Category.

For Shib IdP v2.4.0 (and higher), an optimization is possible. The following configuration releases an attribute in the Essential Attribute Bundle if and only if that attribute is called out in SP metadata:

Release the Essential Attribute Bundle to Any SP Only If Requested
<afp:AttributeFilterPolicy id="releaseEssentialAttributeBundleToAnySPIfRequested">

  <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Of course more complex policies are possible; these simple examples are meant to get you started in the right direction. More examples will be found in the Shibboleth wiki.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels