The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

This page shows how to configure a Shibboleth IdP to release the Essential Attribute Bundle.

Contents:

Release the Essential Attribute Bundle to Any SP

It is straightforward to configure a Shibboleth IdP to release the Essential Attribute Bundle to any SP:

Release the Essential Attribute Bundle to Any SP
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySP">

  <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

An Important Consequence of Releasing the Essential Attribute Bundle

If your deployment of eduPersonPrincipalName is non-reassigned, the above attribute release policy supports the Research & Scholarship Category as a side effect, without further configuration. If your deployment of eduPersonPrincipalName is reassigned, simply add the eduPersonTargetedID attribute to the above attribute release policy to meet the minimal requirements of the Research & Scholarship Category.

For Shib IdP v2.4.0 (and higher), an optimization is possible. The following configuration releases an attribute in the Essential Attribute Bundle if and only if that attribute is called out in SP metadata:

Release the Essential Attribute Bundle to Any SP Only If Requested
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySPIfRequested">

  <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Release the Essential Attribute Bundle to Any InCommon SP

Entity metadata registered by InCommon includes an extension element like the following:

The RegistrationInfo element in InCommon metadata
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
  <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>
</md:Extensions>

The value of the registrationAuthority XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. The InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".

Using a 3rd-party plugin for Shibboleth IdP V2 (developed by the UK federation), an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:

Release the Essential Attribute Bundle to Any InCommon SP
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnyInCommonSP">

  <afp:PolicyRequirementRule xsi:type="mdrpif:AttributeRequesterRegistrationAuthority"
      registrars="https://incommon.org"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

See the “Configuration Examples” section of the plugin documentation for other configuration examples. Even more examples will be found in the Shibboleth wiki.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels