The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 116 Next »

Declare your support for R&S now!

To support the Research and Scholarship Category, an IdP operator has at least two configuration options:

  1. Release the R&S attribute bundle to all R&S SPs, including R&S SPs in other federations
  2. Release the R&S attribute bundle to R&S SPs registered by InCommon only

Visit the parent page for basic info about the R&S Attribute Bundle. See the sections below for detailed configuration instructions.

Other Deployment Options

More generally, an IdP may choose to release the Essential Attribute Bundle: If your deployment of eduPersonPrincipalName is non-reassigned, and your IdP releases the Essential Attribute Bundle to all SPs, then your IdP supports the Research & Scholarship Category as a side effect, without further configuration.

Contents:

Software Requirements

To release attributes to all current and future R&S SPs with a one-time configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the configuration steps documented here require Shibboleth IdP v2.3.4 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.

Support for Shib IdPs prior to v2.3.4

For Shibboleth IdPs prior to v2.3.4 (which was released on October 27, 2011), InCommon provides an XSLT script that filters InCommon metadata into an explicit <afp:AttributeFilterPolicy> element for R&S SPs. See the Filtering Metadata for Entity Attributes child page.

No other SAML IdP software is known to support entity attributes at this time.

Optimize your IdP configuration

Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.

Testing IdP Support for R&S

Once you've configured your IdP, you can test your configuration using this test page, a service provided by the GENI Experimenter Portal, an official R&S SP.

Configure an IdP to Release R&S Attributes Globally

Configure a Shibboleth IdP to release the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations, as follows:

A Shib IdP config that releases the R&S bundle to ALL R&S SPs
<afp:AttributeFilterPolicy id="releaseRandSAttributeBundle">

  <!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead -->
 
  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
 
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
  <afp:AttributeRule attributeID="eduPersonTargetedID">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

  <!-- release of ePSA is OPTIONAL -->
  <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

Configure an IdP to Release R&S Attributes Locally

This section is for IdPs that prefer to release attributes to R&S SPs registered by InCommon only.

An IdP that supports R&S locally is configured with a policy rule that releases the R&S Attribute Bundle to R&S SPs registered by InCommon only. To do this, an instance of Shibboleth IdP V2 leverages the Registered By InCommon Category as follows:

A Shib IdP V2 rule that releases attributes to R&S SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule>

An instance of Shibboleth IdP V3 leverages either the registered-by-incommon entity attribute (as above) or the <mdrpi:RegistrationInfo> element in metadata directly, as shown in the following example:

A Shib IdP V3 rule that releases attributes to R&S SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:EntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  <basic:Rule xsi:type="saml:RegistrationAuthority"
      registrars="https://incommon.org"/>
</afp:PolicyRequirementRule>

Note that the registrars XML attribute takes a space-separated list of registrar IDs and therefore the previous configuration is more flexible.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels