Changes between Version 5 and Version 6 of R&Ssupport

Timestamp:

07/09/12 17:27:07 (12 years ago)

Author:

dabantz@…

Comment:

--

R&Ssupport

@@ -90 +90 @@
 
 == IdP Previous to v2.3.5 ==
-These releases do not correctly support using entity attributes in SP metadata as part of an attribute release filter policy. For IdPs prior to v2.3.5, !InCommon provides a tool that can be run on a regular basis to convert !InCommon metadata into an explicit <!AttributeFilterPolicy> element for R&S SPs.
+These releases do not correctly support using entity attributes in SP metadata as part of an attribute release filter policy. For !IdPs prior to v2.3.5, !InCommon provides a tool [copied below] that can be run on a regular basis to convert !InCommon metadata into an explicit <!AttributeFilterPolicy> element for R&S SPs.
 
 == Further Policy Controls ==
-If a campus determines that it wants to block release of attributes for certain community members (e.g., students who have opted out under FERPA), !IdP operators could create an additional attribute release policy to enforce this decision. An example is available on the Shibboleth wiki. IdP plugins, such as uApprove, that provide end-user control over attribute release may also be useful to satisfy additional controls.
+If a campus determines that it wants to block release of attributes for certain community members (e.g., students who have opted out under FERPA), IdP operators could create an additional attribute release policy to enforce this decision. An example is available on the Shibboleth wiki. IdP plugins, such as uApprove, that provide end-user control over attribute release may also be useful to satisfy additional controls.
+
+== !InCommon tool to convert metadata for R&S release for IdP v.<2.3.5 ==
+
+{{{
+    <xsl:template match="md:EntitiesDescriptor">
+<AttributeFilterPolicyGroup id="InCommonRSPolicy" xmlns="urn:mace:shibboleth:2.0:afp"
+                            xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" 
+                            xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                            xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
+                                                urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
+                                                urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
+
+    <AttributeFilterPolicy id="releaseToRandS">
+        <PolicyRequirementRule xsi:type="basic:OR">
+            <xsl:apply-templates/>
+        </PolicyRequirementRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="basic:ANY"/>
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonTargetedID">
+            <PermitValueRule xsi:type="basic:ANY"/>
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="basic:ANY"/>
+        </AttributeRule>
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="basic:ANY"/>
+        </AttributeRule>
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="basic:ANY"/>
+        </AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="basic:ANY"/>
+        </AttributeRule>
+        <AttributeRule attributeID="sn">
+            <PermitValueRule xsi:type="basic:ANY"/>
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>
+    </xsl:template>
+
+</xsl:stylesheet>
+}}}