To support the Research and Scholarship Category, an IdP has multiple options:
Visit the parent page for basic info about the R&S Attribute Bundle. See the sections below for detailed configuration instructions.
If your IdP already releases attributes to CILogon (which is an R&S SP), you should convert your CILogon configuration to R&S. More generally, an IdP may choose to release the Essential Attribute Bundle to all SPs. |
Once you've configured your IdP to release attributes to all R&S SPs (both present and future) as described below, you should optimize your IdP configuration files by removing all references to the entity IDs of individual R&S SPs. (That is, in fact, the whole point of using entity attributes to configure attribute release policy.)
All configuration examples below recognize the REFEDS R&S entity attribute value: http://refeds.org/category/research-and-scholarship An IdP that supports REFEDS R&S (by recognizing the REFEDS R&S entity attribute) implicitly releases attributes to all R&S SPs, including R&S SPs in other federations. IdPs that are unwilling and/or unable to implement such a policy should consider releasing attributes to R&S SPs registered by InCommon (by recognizing the REFEDS R&S entity attribute in part). |
Contents:
To release attributes to all R&S SPs with a single configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the configuration steps documented here require Shibboleth IdP v2.3.4 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.
Note: The attribute filter policies shown in the following sections are based on an exact match of an entity attribute. In the Shibboleth IdP, an attribute filter policy may be based on a regex match of an entity attribute as well.
For Shibboleth IdPs prior to v2.3.4 (which was released on October 27, 2011), InCommon provides an XSLT script that filters InCommon metadata into an explicit |
No other SAML IdP software is known to support entity attributes at this time.
The examples in this section configure a Shib IdP to release a fixed subset of the R&S attribute bundle to R&S SPs.
The configurations based on entity attributes in the next subsection are one-time configurations. In contrast, the configuration produced by the XSLT script in the following subsection must be performed every time a new R&S SP is added to InCommon metadata. Clearly the configuration based on entity attributes is preferred.
To release a fixed subset of the R&S bundle, configure a new <afp:AttributeFilterPolicy>
element that recognizes the R&S entity attribute.
The following example releases a fixed subset of the R&S attribute bundle to all R&S SPs:
<afp:AttributeFilterPolicy id="releaseRandSBundleToAllSPs"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- release of ePSA is OPTIONAL --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
Note that the above <afp:AttributeFilterPolicy>
releases the Research & Scholarship Attribute Bundle to all users whereas an IdP that supports R&S is only required to release attributes for some subset of the IdP's user population. For example, an IdP may choose to release attributes for faculty and staff only, or perhaps for non-students. The Shibboleth wiki contains examples of such configurations, which could easily be incorporated into the above policy.
Old versions of the Shib IdP don't support entity attributes so we provide an XSLT script that extracts the entity IDs of the R&S SPs. Run the script (InCommonRandSPolicy.xsl
) at the command line as follows:
{html}<pre> $ <b>curl --silent http://md.incommon.org/InCommon/InCommon-metadata.xml \ | xsltproc InCommonRandSPolicy.xsl - \ | tidy -quiet -xml -indent -wrap 0</b> </pre>{html} |
The output will include a listing of the entity IDs of all R&S SPs found in the metadata file:
<afp:AttributeFilterPolicy id="releaseFullBundleToRandS"> <afp:PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://carmenwiki.osu.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://filesender.internet2.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://wikispaces.psu.edu/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.indianactsi.org" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cilogon.org/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cgca.phys.uwm.edu/shibboleth-sp" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://panther.gpolab.bbn.com/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://ligo.org/ligovirgo/cbcnote/shibboleth-sp" /> <!-- etc. --> </afp:PolicyRequirementRule> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
You can of course modify either of the above <afp:AttributeFilterPolicy>
elements to release a dynamic subset of the R&S attribute bundle as shown in the following section.
To dynamically release a subset of the R&S bundle to each R&S SP on an SP-by-SP basis, configure a new <afp:AttributeFilterPolicy>
element that refers to the R&S entity attribute but limits attribute release based on <md:RequestedAttribute>
elements in SP metadata.
Shib IdP v2.4.3 (and higher) can base policy decisions on arbitrary <md:RequestedAttribute>
elements in SP metadata.
<afp:AttributeFilterPolicy id="releaseDynamicSubsetToRandS"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- release ePPN iff ePPN is listed in metadata --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- release ePTID iff either ePTID or ePPN are listed in metadata --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- if ePPN is non-reassigned, the above rule may be simplified or even commented out since ePTID is optional --> <!-- release mail iff mail is listed in metadata --> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- release displayName iff displayName or (givenName + sn) are listed in metadata --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="basic:AND"> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.5.4.42"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.5.4.4"/> <basic:Rule xsi:type="basic:AND"> </afp:PermitValueRule> </afp:AttributeRule> <!-- release givenName iff givenName or displayName are listed in metadata --> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.16.840.1.113730.3.1.241"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- release surname iff surname or displayName are listed in metadata --> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.16.840.1.113730.3.1.241"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- release ePSA iff ePSA is listed in metadata --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- since ePSA is OPTIONAL, the above rule may be commented out --> </afp:AttributeFilterPolicy> |
Shib IdP v2.4.0 (and higher) can also base policy decisions on <md:RequestedAttribute>
elements in SP metadata but with limited ability (compared to v2.4.3 and later).
The simple policy shown below satisfies the requirements of R&S if and only if 1) your deployment of |
The following configuration releases an R&S attribute from the minimal subset if and only if that attribute is called out in SP metadata:
<afp:AttributeFilterPolicy id="releaseDynamicSubsetToRandS"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
See the Shib wiki for more information about type saml:AttributeInMetadata
.
To release a subset of the R&S attribute bundle to R&S SPs registered by InCommon only, first note that entity metadata registered by InCommon includes the following extension element:
<md:Extensions xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"> <mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/> </md:Extensions> |
The value of the registrationAuthority
XML attribute is the registrar's ID. Every metadata registrar has a globally unique ID. The InCommon registrar has the ID shown in the previous example, namely, "https://incommon.org".
Using a 3rd-party plugin for Shibboleth IdP V2 (developed by the UK federation), an IdP operator can choose to restrict attribute release to SPs registered by InCommon as follows:
<afp:AttributeFilterPolicy id="releaseRandSBundleToInCommonSPs"> <afp:PolicyRequirementRule xsi:type="basic:AND"> <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <basic:Rule xsi:type="mdrpif:AttributeRequesterRegistrationAuthority" registrars="https://incommon.org"/> </afp:PolicyRequirementRule> <!-- same attribute rules as in any of the previous examples --> </afp:AttributeFilterPolicy> |
For brevity, the <afp:AttributeRule>
elements have been omitted from the previous example. See the examples in the previous sections for details.