To release attributes to all current and future Research & Scholarship SPs with a one-time configuration, an Identity Provider defines the attribute release using entity attributes instead of entity IDs. This page provides instructions for popular Identity Provider software.
The following example illustrates how to configure a Shibboleth IdP (v3 or newer) to release the R&S Attribute Bundle to all eduGAIN Research & Scohlarship SPs:
<!-- for Shibboleth IdP V3.2.0 or later --> <AttributeFilterPolicy id="releaseRandSAttributeBundle"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a fixed subset of the Research & Scholarship Attribute Bundle --> <!-- release of ePPN is REQUIRED --> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- release of email is REQUIRED --> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- release of ePSA is OPTIONAL --> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy> |
Microsoft Active Directory Federation Service (ADFS) does not have built-in support for REFEDS R&S attribute release. However, it is possible to do so with ADFSToolkit.
ADFSToolkit, a set of PowerShell scripts developed by CANARIE (the Canadian research and education federation) connects your ADFS IDP with the R&E Federation. ADFSToolkit by default works with R&S. To learn more:
Once you've configured your IdP to release attributes to R&S SPs as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.) In particular, if your IdP already releases attributes to CILogon (or any other R&S SP), you should convert your CILogon configuration to R&S.
Don't forget to let others know you now support R&S. Declare your support for R&S via the Federation Manager.
Once you have verified that your declaration has been published in the InCommon metadata, you can verify your configuration using one of the following test tools:
Can't find what you are looking for?