Release the Essential Attribute Bundle to Any SP
It is straightforward to configure a Shibboleth IdP to release the Essential Attribute Bundle to any SP:
<afp:AttributeFilterPolicy id="releaseEssentialAttributeBundleToAnySP"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
An Important Consequence of Releasing the Essential Attribute Bundle
If your deployment of eduPersonPrincipalName
is non-reassigned, the above attribute release policy supports the Research & Scholarship Category as a side effect, without further configuration. If your deployment of eduPersonPrincipalName
is reassigned, simply add the eduPersonTargetedID
attribute to the above attribute release policy to meet the minimal requirements of the Research & Scholarship Category.
For Shib IdP v2.4.0 (and higher), an optimization is possible. The following configuration releases an attribute in the Essential Attribute Bundle if and only if that attribute is called out in SP metadata:
<afp:AttributeFilterPolicy id="releaseEssentialAttributeBundleToAnySPIfRequested"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Of course more complex policies are possible; these simple examples are meant to get you started in the right direction. More examples will be found in the Shibboleth wiki.