To release attributes to all current and future Research & Scholarship SPs with a one-time configuration, an Identity Provider defines the attribute release using entity attributes instead of entity IDs. This page provides instructions for popular Identity Provider software.

Step 1: Configure your IdP

Configure Shibboleth IdP to release R&S Attributes

The following example illustrates how to configure a Shibboleth IdP (v3 or newer) to release the R&S Attribute Bundle to all eduGAIN Research & Scohlarship SPs:

<!-- for Shibboleth IdP V3.2.0 or later -->
 
<AttributeFilterPolicy id="releaseRandSAttributeBundle">
 
  <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- a fixed subset of the Research & Scholarship Attribute Bundle -->
 
  <!-- release of ePPN is REQUIRED -->
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>

  <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL -->
  <AttributeRule attributeID="eduPersonTargetedID">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>

  <!-- release of email is REQUIRED -->
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>

  <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED -->
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>

  <!-- release of ePSA is OPTIONAL -->
  <AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>

</AttributeFilterPolicy>

Configure ADFS to release R&S attributes using ADFStoolkit

Microsoft Active Directory Federation Service (ADFS) does not have built-in support for REFEDS R&S attribute release. However, it is possible to do so with ADFSToolkit. 

ADFSToolkit, a set of PowerShell scripts developed by CANARIE (the Canadian research and education federation) connects your ADFS IDP with the R&E Federation. ADFSToolkit by default works with R&S. To learn more:

Step 2: Cleaning up - remove obsolete attribute release rules 

Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.

Step 3: Declare your support for R&S

Don't forget to let others know you now support R&S. Declare your support for R&S via the Federation Manager.

Step 4: Validate your configuration

Once you have verified that your declaration has been published in the InCommon metadata, you can verify your configuration using one of the following test tools:

Related content



Get help

Can't find what you are looking for?