Versions Compared

Old Version 5

changes.mady.by.user Peter Brand

Saved on

compared with

New Version Current

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

By default the Shibboleth Identity Provider (IDP) software will not release any attributes data to any service (except for a short-lived, opaque identifer called transient NameID, also there are a few example rules included in the distributed attribute-filter.xml for illustration purposes).

While not sending any data to anyone is "secure" – much the same way as not connecting a computer to a network is "secure" – it's also not very practical, as essentially all Service Providers (SP) need attributes in order to provide their services and/or perform access control.

There are several approaches to enabling controlled release of attributes to the appropriate services , and most (or all) of them will probably need to be deployed within an institutional IDP:

Note
iconfalse

As mentioned in the main Service Categories article, be sure to get use of these (or similar) rules within your IT systems approved by your institution's upper management.

The following policies and rules are meant to be added to your Shibboleth IDP's attribute filter configuration, by default in /opt/shibboleth-idp/conf/attribute-filter.xml

...

Tip

REFEDS has published guidance on justification for attribute release, especially with regard to the use the "REFEDS Research & Scholarship" category in particular.

Include Page
IDP 4 include-RandS-reassigned-ePPN
IDP 4 include-RandS-reassigned-ePPN

GÉANT EU/EEA Data Protection Code of Conduct for Service Providers

...

Include Page
IDP 4 include-CoCo-rules
IDP 4 include-CoCo-rules

European Student Identifier

The MyAcademicID ESI category manages the scalable and controlled release of the European Student Identifier (ESI) as required e.g. by the European Commission's Erasmus+ services.

We're also using this category to control release of the Erasmus Without Paper (EWP) admin entitlement to keep things simple:

Include Page
IDP 4 include-MyAcacemicID-rules
IDP 4 include-MyAcacemicID-rules

ACOnet-registered services

...

Info

More ready-to-use examples can be found on the page Library Services. and can safely be used by all IDPs!

Individual policies

Services requiring special configuration are often best dealt with by giving them their own, individual filter policy.
Examples can be found in this wiki, e.g.:

...