IAM / Projects / Shibboleth / Configuring a Shibboleth IdP to Release Attributes to an R&S SP
Copied from I2 wiki re R&S InCommon SPs 2012.05.14
Configuring a Shibboleth IdP to Release Attributes to an R&S SP
IdP 2.3.5 and above
Always Release the Same Set of Attributes
Release Only Those Attributes an SP Requests via Its Metadata Element
Installation of the Plugin:
Configure a Release Policy
IdP Previous to v2.3.5
Further Policy Controls
A Shibboleth IdP can be configured -- once -- to release a set of attributes to any and every R&S SP (identified by an entity attribute), not specific SPs (identified by entityID). Local IdP policy determines which attributes and values will be released. The logistics for configuring a Shibboleth IdP to do this release varies, depending on which version of the IdP a site is using.
IdP 2.3.5 and above
An IdP can choose between possible configurations, depending on its policy needs:
- Always release the same set of attributes to every R&S SP.
- Release only those attributes an SP requests via its metadata element.
Always Release the Same Set of Attributes
The following configuration requires Shibboleth IdP v2.3.5 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy.
Configure a new <AttributeFilterPolicy> element for R&S SPs.This example releases all of the R&S attributes; a campus should customize as appropriate (e.g., changing the attributeID values).
<AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://id.incommon.org/attribute/entity/category" attributeValue="http://id.incommon.org/category/research-and-scholarship"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy>
Release Only Those Attributes an SP Requests via Its Metadata Element
This approach relies on a plugin that is bundled with the uApprove add-on for Shibboleth. Information about uApprove is available at http://www.switch.ch/aai/support/tools/uApprove.html. It is NOT necessary for the site to run and use uApprove in order to take advantage of this plugin's capabilities.
Installation of the Plugin:
Follow these steps in order to use the plugin; it is NOT necessary to follow the full uApprove installation instructions:
- Download the uApprove package.
- Explode the package.
- (FIX) cp uApprove-2.2.1/idp-plugin-2.2.1/lib/* shibboleth-identityprovider-2.3.5/lib/.
- Run the standard IDP install steps (eg install.sh)
Configure a Release Policy
The following IdP configuration implicitly releases attributes to any R&S SP. An attribute is released if and only if it is listed in SP metadata.
<AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://id.incommon.org/attribute/entity/category" attributeValue="http://id.incommon.org/category/research-and-scholarship"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> </AttributeFilterPolicy>
IdP Previous to v2.3.5
These releases do not correctly support using entity attributes in SP metadata as part of an attribute release filter policy. For IdPs prior to v2.3.5, InCommon provides a tool [copied below] that can be run on a regular basis to convert InCommon metadata into an explicit <AttributeFilterPolicy> element for R&S SPs.
Further Policy Controls
If a campus determines that it wants to block release of attributes for certain community members (e.g., students who have opted out under FERPA), IdP operators could create an additional attribute release policy to enforce this decision. An example is available on the Shibboleth wiki. IdP plugins, such as uApprove, that provide end-user control over attribute release may also be useful to satisfy additional controls.
InCommon tool to convert metadata for R&S release for IdP v.<2.3.5
<xsl:template match="md:EntitiesDescriptor"> <AttributeFilterPolicyGroup id="InCommonRSPolicy" xmlns="urn:mace:shibboleth:2.0:afp" xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd"> <AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="basic:OR"> <xsl:apply-templates/> </PolicyRequirementRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> <AttributeRule attributeID="sn"> <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule> </AttributeFilterPolicy> </AttributeFilterPolicyGroup> </xsl:template> </xsl:stylesheet>