To support the Research and Scholarship Category, an IdP has at least two options:
- Release the R&S attribute bundle to all R&S SPs, including R&S SPs in other federations
- Release the R&S attribute bundle to R&S SPs registered by InCommon only
Visit the parent page for basic info about the R&S Attribute Bundle. See the sections below for detailed configuration instructions.
Other Deployment Options
If your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S. More generally, an IdP may choose to release the Essential Attribute Bundle to all SPs. This is easiest to implement and perhaps the best way to support the Research & Scholarship category.
Once you've configured your IdP to release attributes to all R&S SPs (both present and future) as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.)
Contents:
Software Requirements
To release attributes to all R&S SPs with a single configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the configuration steps documented here require Shibboleth IdP v2.3.4 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.
The configurations based on entity attributes in the following sections are one-time configurations.
Note: The attribute filter policies shown in the following sections are based on an exact match of an entity attribute. In the Shibboleth IdP, an attribute filter policy may be based on a regex match of an entity attribute as well.
Support for Shib IdPs prior to v2.3.4
For Shibboleth IdPs prior to v2.3.4 (which was released on October 27, 2011), InCommon provides an XSLT script that filters InCommon metadata into an explicit <afp:AttributeFilterPolicy>
element for R&S SPs. See the Filtering Metadata for Entity Attributes child page.
No other SAML IdP software is known to support entity attributes at this time.
Choose a Subset of the R&S Bundle to Release
The following pair of policies release a subset of the R&S Attribute Bundle to requesters.
Release a Fixed Subset of the R&S Bundle
The following policy releases a fixed subset of the R&S Attribute Bundle to requesters.
<afp:AttributeFilterPolicy id="releaseFixedSubsetRandSAttributeBundle"> <!-- insert the relevant PolicyRequirementRule here --> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- release of ePSA is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Release a Dynamic Subset of the R&S Bundle
The following policy releases a dynamic subset of the R&S Attribute Bundle to requesters.
<afp:AttributeFilterPolicy id="releaseDynamicSubsetRandSAttributeBundle"> <!-- insert the relevant PolicyRequirementRule here --> <!-- a dynamic subset of the Research & Scholarship Attribute Bundle --> <!-- release ePPN iff ePPN is listed in metadata --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- release ePTID iff either ePTID or ePPN are listed in metadata --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- if ePPN is non-reassigned, the above rule may be simplified or even commented out since ePTID is optional --> <!-- release mail iff mail is listed in metadata --> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- release displayName iff displayName or (givenName + sn) are listed in metadata --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="basic:AND"> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.5.4.42"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.5.4.4"/> <basic:Rule xsi:type="basic:AND"> </afp:PermitValueRule> </afp:AttributeRule> <!-- release givenName iff givenName or displayName are listed in metadata --> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.16.840.1.113730.3.1.241"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- release surname iff surname or displayName are listed in metadata --> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.16.840.1.113730.3.1.241"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- release ePSA iff ePSA is listed in metadata --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- since ePSA is OPTIONAL, the above rule may be commented out --> </afp:AttributeFilterPolicy>
Choose the Target Subset of R&S SPs
Release the R&S Bundle to All R&S SPs
The following pair of policies release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations.
For Shib IdPs v3.0.0 and higher
For Shibboleth IdP V3, release the R&S Attribute Bundle to all R&S SPs as follows:
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle"> <afp:PolicyRequirementRule xsi:type="saml:EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- insert rules for the Research & Scholarship Attribute Bundle here --> </afp:AttributeFilterPolicy>
For Shib IdPs prior to v3.0.0
For Shibboleth IdP V2, release the R&S Attribute Bundle to all R&S SPs as follows:
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- insert rules for the Research & Scholarship Attribute Bundle here --> </afp:AttributeFilterPolicy>
Release the R&S Bundle to R&S SPs Registered by InCommon
The following pair of policies release the R&S Attribute Bundle to R&S SPs registered by InCommon only.
For Shib IdPs v3.0.0 and higher
For Shibboleth IdP V3, release the R&S Attribute Bundle to R&S SPs registered by InCommon as follows:
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle"> <afp:PolicyRequirementRule xsi:type="basic:AND"> <basic:Rule xsi:type="saml:EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <basic:Rule xsi:type="saml:RegistrationAuthority" registrars="https://incommon.org"/> </afp:PolicyRequirementRule> <!-- insert rules for the Research & Scholarship Attribute Bundle here --> </afp:AttributeFilterPolicy>
The registrars
XML attribute takes a space-separated list of registrar IDs.
For Shib IdPs prior to v3.0.0
For Shibboleth IdP V2, release the R&S Attribute Bundle to R&S SPs registered by InCommon as follows:
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle"> <afp:PolicyRequirementRule xsi:type="basic:AND"> <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://id.incommon.org/category/registered-by-incommon"/> </afp:PolicyRequirementRule> <!-- insert rules for the Research & Scholarship Attribute Bundle here --> </afp:AttributeFilterPolicy>