To support the Research and Scholarship Category, an IdP has at least two options:
See the sections below for detailed instructions.
If your IdP already releases attributes to CILogon (which is an R&S SP), you should convert your CILogon configuration to R&S. More generally, an IdP may choose to release directory information to all SPs. |
Once you've configured your IdP to release attributes to all R&S SPs (both present and future) as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of R&S SPs. (That is, in fact, the whole point of using entity attributes for describing attribute release policy.)
To release attributes to all R&S SPs with a single configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the configuration steps documented here require Shibboleth IdP v2.3.4 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.
Note: The attribute filter policies shown in the following sections are based on an exact match of an entity attribute. In the Shibboleth IdP, an attribute filter policy may be based on a regex match of an entity attribute as well.
For Shibboleth IdPs prior to v2.3.4 (which was released on October 27, 2011), InCommon provides an XSLT script that filters InCommon metadata into an explicit |
No other SAML IdP software is known to support entity attributes at this time.
An IdP may support R&S by releasing at least the minimal subset of the R&S attribute bundle to all R&S SPs. Both examples in this section illustrate such a configuration.
To release a fixed subset of the R&S bundle (or the complete bundle itself), configure a new <AttributeFilterPolicy>
element that refers to the R&S entity attribute. The following example releases a subset of the R&S bundle to all R&S SPs:
<AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://id.incommon.org/category/research-and-scholarship"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy> |
To release some other subset of the R&S bundle, simply customize the above example to match your policy.
Old versions of the Shib IdP don't support entity attributes so we provide an XSLT script that extracts the entity IDs of the R&S SPs. Run the script (InCommonRandSPolicy.xsl
) at the command line as follows:
<pre> $ <b>curl --silent http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml \ | xsltproc InCommonRandSPolicy.xsl - \ | tidy -quiet -xml -indent -wrap 0</b> </pre> |
The output will include a listing of the entity IDs of all R&S SPs found in the metadata file:
<AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://carmenwiki.osu.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://filesender.internet2.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://wikispaces.psu.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.indianactsi.org" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cilogon.org/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cgca.phys.uwm.edu/shibboleth-sp" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://panther.gpolab.bbn.com/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://ligo.org/ligovirgo/cbcnote/shibboleth-sp" /> <!-- etc. --> </PolicyRequirementRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy> |
Modify the script to release some other subset of the R&S attribute bundle according to policy.
To dynamically release a subset of the R&S bundle to each R&S SP on an SP-by-SP basis, configure a new <AttributeFilterPolicy>
element that refers to the R&S entity attribute but limits attribute release to the <md:RequestedAttribute>
elements in SP metadata. This requires the following two-step configuration process:
<md:RequestedAttribute>
elements in SP metadata.<AttributeFilterPolicy>
element for R&S SPs.These two configuration steps taken together constrain the release of attributes to precisely those attributes requested by R&S SPs (assuming those attributes constitute a subset of the R&S bundle).
The uApprove addon to the Shibboleth IdP includes a plugin that limits attribute release to the <md:RequestedAttribute>
elements in SP metadata.
The uApprove addon is not required to release attributes to R&S SPs. The steps below do not install uApprove but rather a plugin included in the uApprove package. |
To install and configure the plugin, perform the following steps:
<code>$ <b>cp $UAPPROVE_INSTALL$/idp-plugin-2.2.1/lib/* $IDP_INSTALL$/lib/</b></code> |
xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf"
to the <AttributeFilterPolicy>
element (or better yet, to the parent <AttributeFilterPolicyGroup>
element).The plugin adds a new PermitValueRule
of type ua:AttributeInMetadata
.
The following IdP configuration implicitly releases attributes to any R&S SP. An attribute is released if and only if it is listed in SP metadata.
<AttributeFilterPolicy id="releaseToRandS" xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf"> <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://id.incommon.org/category/research-and-scholarship"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> </AttributeFilterPolicy> |
The attributes shown above constitute a maximal subset of the R&S bundle. Simply customize the above example to match your policy.