...
| Expand |
|---|
| title | Show example Shibboleth IDP policy for REFEDS R&S: |
|---|
|
| Code Block |
|---|
| <afp:AttributeFilterPolicy id="REFEDSResearchAndScholarship">
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- minimal subset of the R&S attribute bundle -->
<!-- assuming non-reassigned ePPN values, otherwise also include persistentId/eduPersonTargetedID here -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<!-- other attributes only if requested -->
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
|
...
As this Category definition does not specify an attribute bundle (i.e., it doesn't reference specific attributes which should be released) the list of attributes to release is basically open-ended. As such you may need to adapt the attribute rules included within the policy, possibly including (fewer or) more attributes (depending on what attributes you have available in your IDP and whether the institution is willing to release them at allunder these terms). The confguration below is an example based on the most commonly used attributes in Identity Federations today which most/all eduID.at Identity Providers should be able to generate.
| Expand |
|---|
| title | Show example Shibboleth IDP policy for GEANT EU Code of Conduct: |
|---|
|
| Code Block |
|---|
| <afp:AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct">
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
<!-- Release data to EU CoCo-SPs, based on RequestedAttributes in SAML metadata -->
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="true"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="truefalse"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="schacHomeOrganization">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
|
