Changes between Version 2 and Version 3 of R&Ssupport
- Timestamp:
- 07/09/12 16:45:11 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
R&Ssupport
v2 v3 1 == Configuring a Shibboleth IdP to Release Attributes to an R&S SP==1 == Configuring a Shibboleth IdP to Release Attributes to an R&S SP == 2 2 3 3 Configuring a Shibboleth IdP to Release Attributes to an R&S SP … … 11 11 A Shibboleth IdP can be configured -- once -- to release a set of attributes to any and every R&S SP (identified by an entity attribute), not specific SPs (identified by entityID). Local IdP policy determines which attributes and values will be released. The logistics for configuring a Shibboleth IdP to do this release varies, depending on which version of the IdP a site is using. 12 12 13 == IdP 2.3.5 and above==13 == IdP 2.3.5 and above == 14 14 An IdP can choose between possible configurations, depending on its policy needs: 15 15 … … 17 17 Release only those attributes an SP requests via its metadata element. 18 18 19 == Always Release the Same Set of Attributes==19 == Always Release the Same Set of Attributes == 20 20 21 21 The following configuration requires Shibboleth IdP v2.3.5 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy. … … 23 23 Configure a new <AttributeFilterPolicy> element for R&S SPs.This example releases all of the R&S attributes; a campus should customize as appropriate (e.g., changing the attributeID values). 24 24 25 {{{<AttributeFilterPolicy id="releaseToRandS"> 25 {{{ 26 <AttributeFilterPolicy id="releaseToRandS"> 26 27 <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" 27 28 attributeName="http://id.incommon.org/attribute/entity/category" … … 45 46 <PermitValueRule xsi:type="basic:ANY" /> 46 47 </AttributeRule> 47 </AttributeFilterPolicy>}}} 48 </AttributeFilterPolicy> 49 }}} 48 50 49 51 Release Only Those Attributes an SP Requests via Its Metadata Element 50 52 This approach relies on a plugin that is bundled with the uApprove add-on for Shibboleth. Information about uApprove is available at http://www.switch.ch/aai/support/tools/uApprove.html. It is NOT necessary for the site to run and use uApprove in order to take advantage of this plugin's capabilities. 51 53 52 Installation of the Plugin: 54 == Installation of the Plugin: == 53 55 Follow these steps in order to use the plugin; it is NOT necessary to follow the full uApprove installation instructions: 54 56 … … 60 62 The following IdP configuration implicitly releases attributes to any R&S SP. An attribute is released if and only if it is listed in SP metadata. 61 63 62 {{{<AttributeFilterPolicy id="releaseToRandS"> 64 {{{ 65 <AttributeFilterPolicy id="releaseToRandS"> 63 66 <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" 64 67 attributeName="http://id.incommon.org/attribute/entity/category" … … 82 85 <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> 83 86 </AttributeRule> 84 </AttributeFilterPolicy>}}} 87 </AttributeFilterPolicy> 88 }}} 85 89 86 == IdP Previous to v2.3.5==90 == IdP Previous to v2.3.5 == 87 91 These releases do not correctly support using entity attributes in SP metadata as part of an attribute release filter policy. For IdPs prior to v2.3.5, InCommon provides a tool that can be run on a regular basis to convert InCommon metadata into an explicit <AttributeFilterPolicy> element for R&S SPs. 88 92 89 == Further Policy Controls==93 == Further Policy Controls == 90 94 If a campus determines that it wants to block release of attributes for certain community members (e.g., students who have opted out under FERPA), IdP operators could create an additional attribute release policy to enforce this decision. An example is available on the Shibboleth wiki. IdP plugins, such as uApprove, that provide end-user control over attribute release may also be useful to satisfy additional controls.