Last modified 11 years ago
Last modified on 07/12/13 10:13:19
Shibboleth / Setup Attribute Release from IdP to an SP
This page documents how to setup an IdP to release attributes to an SP via its entityID.
- Check out the conf directory from the shib-svn repository.
john@fearless:~/Junk$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/conf A conf/service.xml ... A conf/login.config
- Add a stanza in the attribute-filter.xml config file that releases an attribute to the SP via its entityID.
john@fearless:~/Junk$ vi conf/attribute-filter.xml ... <AttributeFilterPolicy id="releaseToIAM"> <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://idmt-1.alaska.edu/shibboleth" /> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> ... :wq!
- Commit the the changed attribute-filter.xml file into the shib-svn repository.
john@fearless:~/Junk$ svn commit conf/ -m "Added attribute filter config for SP idmt-1"
- Test and update the Shibboleth IdPs with the Test IdP Config Change procedure.
References:
- Shibboleth Attribute Filter Documentation
- filter to release TransientID to all EXCEPT named SPs by "Qian, Yi" <yqian@…>:
<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone"> <afp:PolicyRequirementRule xsi:type="basic:NOT"> <basic:Rule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="sandbox 1 sp entity id" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="sandbox 2 sp entity id" /> </basic:Rule> </afp:PolicyRequirementRule> <afp:AttributeRule attributeID="TransientId"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
