Changes between Version 2 and Version 3 of R&Ssupport


Ignore:
Timestamp:
07/09/12 16:45:11 (12 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • R&Ssupport

    v2 v3  
    1 ==Configuring a Shibboleth IdP to Release Attributes to an R&S SP== 
     1== Configuring a Shibboleth IdP to Release Attributes to an R&S SP == 
    22 
    33Configuring a Shibboleth IdP to Release Attributes to an R&S SP 
     
    1111A Shibboleth IdP can be configured -- once -- to release a set of attributes to any and every R&S SP (identified by an entity attribute), not specific SPs (identified by entityID). Local IdP policy determines which attributes and values will be released. The logistics for configuring a Shibboleth IdP to do this release varies, depending on which version of the IdP a site is using. 
    1212 
    13 ==IdP 2.3.5 and above== 
     13== IdP 2.3.5 and above == 
    1414An IdP can choose between possible configurations, depending on its policy needs: 
    1515 
     
    1717Release only those attributes an SP requests via its metadata element. 
    1818 
    19 ==Always Release the Same Set of Attributes== 
     19== Always Release the Same Set of Attributes == 
    2020 
    2121The following configuration requires Shibboleth IdP v2.3.5 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy. 
     
    2323Configure a new <AttributeFilterPolicy> element for R&S SPs.This example releases all of the R&S attributes; a campus should customize as appropriate (e.g., changing the attributeID values). 
    2424 
    25 {{{<AttributeFilterPolicy id="releaseToRandS"> 
     25{{{  
     26<AttributeFilterPolicy id="releaseToRandS"> 
    2627  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" 
    2728      attributeName="http://id.incommon.org/attribute/entity/category" 
     
    4546    <PermitValueRule xsi:type="basic:ANY" /> 
    4647  </AttributeRule> 
    47 </AttributeFilterPolicy>}}} 
     48</AttributeFilterPolicy>  
     49}}} 
    4850 
    4951Release Only Those Attributes an SP Requests via Its Metadata Element 
    5052This approach relies on a plugin that is bundled with the uApprove add-on for Shibboleth. Information about uApprove is available at http://www.switch.ch/aai/support/tools/uApprove.html. It is NOT necessary for the site to run and use uApprove in order to take advantage of this plugin's capabilities. 
    5153 
    52 Installation of the Plugin: 
     54== Installation of the Plugin: == 
    5355Follow these steps in order to use the plugin; it is NOT necessary to follow the full uApprove installation instructions: 
    5456 
     
    6062The following IdP configuration implicitly releases attributes to any R&S SP. An attribute is released if and only if it is listed in SP metadata. 
    6163 
    62 {{{<AttributeFilterPolicy id="releaseToRandS"> 
     64{{{  
     65<AttributeFilterPolicy id="releaseToRandS"> 
    6366  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" 
    6467      attributeName="http://id.incommon.org/attribute/entity/category" 
     
    8285    <PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false"/> 
    8386  </AttributeRule> 
    84 </AttributeFilterPolicy>}}} 
     87</AttributeFilterPolicy> 
     88}}} 
    8589 
    86 ==IdP Previous to v2.3.5== 
     90== IdP Previous to v2.3.5 == 
    8791These releases do not correctly support using entity attributes in SP metadata as part of an attribute release filter policy. For IdPs prior to v2.3.5, InCommon provides a tool that can be run on a regular basis to convert InCommon metadata into an explicit <AttributeFilterPolicy> element for R&S SPs. 
    8892 
    89 ==Further Policy Controls== 
     93== Further Policy Controls == 
    9094If a campus determines that it wants to block release of attributes for certain community members (e.g., students who have opted out under FERPA), IdP operators could create an additional attribute release policy to enforce this decision. An example is available on the Shibboleth wiki. IdP plugins, such as uApprove, that provide end-user control over attribute release may also be useful to satisfy additional controls.