wiki:SetupSpAttrRelease
Last modified 7 years ago Last modified on 07/12/13 10:13:19

Shibboleth / Setup Attribute Release from IdP to an SP

This page documents how to setup an IdP to release attributes to an SP via its entityID.

  1. Check out the conf directory from the shib-svn repository.
    john@fearless:~/Junk$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/conf
    A    conf/service.xml
    ...
    A    conf/login.config
    
  1. Add a stanza in the attribute-filter.xml config file that releases an attribute to the SP via its entityID.
    john@fearless:~/Junk$ vi conf/attribute-filter.xml
    ...
    <AttributeFilterPolicy id="releaseToIAM">
        <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://idmt-1.alaska.edu/shibboleth" />
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>
    ...
    :wq!
    
  1. Commit the the changed attribute-filter.xml file into the shib-svn repository.
    john@fearless:~/Junk$ svn commit conf/ -m "Added attribute filter config for SP idmt-1"
    
  1. Test and update the Shibboleth IdPs with the Test IdP Config Change procedure.

References:

  • Shibboleth Attribute Filter Documentation
  • filter to release TransientID to all EXCEPT named SPs by "Qian, Yi" <yqian@…>:
    <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
    
    		<afp:PolicyRequirementRule xsi:type="basic:NOT">
    			<basic:Rule xsi:type="basic:OR">
    				<basic:Rule xsi:type="basic:AttributeRequesterString"
    					value="sandbox 1 sp entity id" />
    				<basic:Rule xsi:type="basic:AttributeRequesterString"
    					value="sandbox 2 sp entity id" />
    			</basic:Rule>
    		</afp:PolicyRequirementRule>
    
    		<afp:AttributeRule attributeID="TransientId">
    			<afp:PermitValueRule xsi:type="basic:ANY" />
    		</afp:AttributeRule>
    
    	</afp:AttributeFilterPolicy>