Versions Compared

Old Version 6

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 7

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: release via ESI category

...

In support of these larger projects the European Student Identifier (ESI) was defined and this too needs to be made available in your IDP and released to the central "MyAcademicID IAM Service". Copy/paste-able examples for its creation are part of our standard set of documentation for the Shibboleth IDP's attribute resolver and an example as well as for its release is included below scalable release to eligible services.

Other common attributes

Make sure to also have the common attributes displayName, mail, eduPersonScopedAffiliation and schacHomeOrganization available and release them to the "MyAcademicID IAM Service", all of which we already provide extensive configuration guidance for.

Attribute release configuration

In late 2021 CE a Service Category was created to scalably manage the controlled release of the ESI across services and regions. We recommend using this method to manage release of the ESI to the "MyAcademicID IAM Service" as well. This replaces the only method available earlier that relies on enumeration of entityID values of all Service Providers that may recieve the ESI as a SAML attribute from your Identity Provider software.

Tip

An

...

easy way to test your attribute release configuration for Erasmus+ services is the MyAcademicID Attribute Release Test Service. Alternatively testing attribute release policies on the command line of your Shibboleth IDP server using the aacli tool is fast and easy (though you'd have to interpret the results yourself, compating the set of attribute that would be release against the published requirements of the "MyAcademicID IAM Service

...

". (See "Attribute requirements" above.)


<AttributeFilterPolicy id="MyAcademicID-IAM-Service"> <PolicyRequirementRule xsi:type="Requester" value="https://proxy.prod.erasmus.eduteams.org/metadata/backend.xml" /> <AttributeRule attributeID="schacPersonalUniqueCode"> <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*$" /> </AttributeRule> <AttributeRule attributeID="displayName" permitAny="true" /> <AttributeRule attributeID="mail" permitAny="true" /> <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> <AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> </AttributeFilterPolicy>
Note

We

Tip

Below we're assuming you've already configured support for releasing the SAML SubjectID Profile Attributes (SAML Pairwise-ID or SAML Subject-ID) in a scalable way according to our documentation (see references above), which would also cover the "MyAcademicID IAM Service"cf. section "Identifiers" above). Otherwise you'd have to add AttributeRule elements for samlPairwiseID (or if you can't support that, for samlSubjectID) to the configuration snippet below.

Info

Also note that if you're following our documentation and recommendation about controlled, scalable attribute release using Service Categories you may not have to configure anything specifically for your attribute release rule specific to the "MyAcademicID IAM Service"! An easy way to find out is the MyAcademicID Attribute Release Test Service or alternatively testing attribute release policies on the command line of your Shibboleth IDP server using the aacli tool.

Code Block
languagehtml/xml

.

An attribute filter policy for the Shibboleth IDP that releases the ESI to eligible services, including the "MyAcademicID IAM Service", based on the published Service Category would look like the following:

Include Page
IDP 4 include-ESI-rules
IDP 4 include-ESI-rules