...
Expand |
---|
title | Show example Shibboleth IDPv3 policy for REFEDS R&S: |
---|
|
Include Page |
---|
| include-RandS-rules |
---|
| include-RandS-rules |
---|
|
Code Block |
---|
|
|
<AttributeFilterPolicy id="REFEDSResearchAndScholarship">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- RandS requires: An identifier, email and a person's name.
If ePPN values could be reassigned you MUST also release eduPersonTargetedID/persistent NameID.
Always releasing ePTID/persistent NameID is recommended, though. As is releasing givenName+sn
in addition to displayName, to help with interoperability. -->
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
<AttributeRule attributeID="mail" permitAny="true" />
<AttributeRule attributeID="displayName" permitAny="true" />
<AttributeRule attributeID="givenName" permitAny="true" />
<AttributeRule attributeID="surname" permitAny="true" />
<!-- Affiliation is optional but release is still "strongly recommended". -->
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
</AttributeFilterPolicy>
GÉANT Data Protection Code of Conduct
...
Expand |
---|
title | Show example Shibboleth IDPv3 policy for GEANT EU Code of Conduct: |
---|
|
Include Page |
---|
| include-CoCo-rules |
---|
| include-CoCo-rules |
---|
|
Code Block |
---|
|
|
<AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
<!-- Release data to EU/EEA/Adequat CoCo-SPs, based on RequestedAttributes in SAML metadata -->
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="true"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="true"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="true"/>
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="true"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="true"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="true"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonUniqueId">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="true"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="MappedAttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
</AttributeFilterPolicy>
Again, be sure to check out the more general attribute release documentation in our Shibboleth IDP v3 documentation, which contains more ready-to-use examples and approaches.