Page History
...
Note | ||
---|---|---|
| ||
The service provider needs to actually check for those attributes and deny access if the agreed-upon attribute value has not been provided in the response. There is no other way for an institution to signal whether an individual should be entitled to a resource or not. Authentication at an academic institution does not mean the subject is necessarily authorized to access licensed resources on behalf of that institution. |
The eduPerson specification has defined the generic attribute eduPersonEntitlement to communicate entitlements, permissions or rights between entities. For the specific case of library services MACE-Dir has then defined a standard eduPersonEntitlement attribute value (see below for details). This is the only attribute (other than maybe a unique identifier) library services will generally need, as such no more data should be sent from the Identity Provider:
common-lib-terms Entitlement
Here's the current common-lib-terms specification.
"Friendly" attribute name | Formal SAML2 attribute name (on-the-wire) | Attribute value string |
---|---|---|
eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | urn:mace:dir:entitlement:common-lib-terms |
The NameFormat
(what format is the formal attribute name in) is always "urn:oasis:names:tc:SAML:2.0:attrname-format:uri
". For legacy services still using the SAML1.x protocol the formal attribute name is "urn:mace:dir:attribute-def:eduPersonEntitlement
" (instead of urn:oid:1.3.6.1.4.1.5923.1.1.1.7). See https://eduid.at/entities/sp and "mouse-over" the requested attribute's name to find out its formal name for a given service, if in doubt.
...
Define the attribute
See our IDP 3 4 Attribute resolution documentation for a simple example of how to generate and assign the common-lib-terms entitlement based on eduPersonAffiliation values.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeFilterPolicy id="CommonLibTerms"> <PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="Requester" value="https://test-sp.aco.net/shibboleth" /> <Rule xsi:type="Requester" value="https://ieeexplore.ieee.org/shibboleth-sp" /> <Rule xsi:type="Requester" value="http://shibboleth.ebscohost.com" /> <Rule xsi:type="Requester" value="https://sp.tshhosting.com/shibboleth" /> <Rule xsi:type="Requester" value="https://www.content-select.com/simplesaml/module.php/saml/sp/metadata.php/preselect.media-sp" /> <Rule xsi:type="Requester" value="https://sdauth.sciencedirect.com/" /> <Rule xsi:type="Requester" value="https://www.tandfonline.com/shibboleth" /> <Rule xsi:type="Requester" value="https://fsso.springer.com" /> <Rule xsi:type="Requester" value="https://secure.nature.com/shibboleth" /> <Rule xsi:type="Requester" value="https://shibboleth.genios.de/shibboleth" /> <Rule xsi:type="Requester" value="https://shibboleth-faz.genios.de/shibboleth" /> <Rule xsi:type="Requester" value="https://shibboleth.statista.com" /> <Rule xsi:type="Requester" value="https://www.hanser-elibrary.com/shibboleth" /> <Rule xsi:type="Requester" value="https://shibboleth.ovid.com/entity" /> <Rule xsi:type="Requester" value="https://prd.thieme.de/shibboleth-sp" /> <Rule xsi:type="Requester" value="https://www.beck-elibrary.de/Shibboleth.sso" /> <Rule xsi:type="Requester" value="https://www.nomos-elibrary.de/Shibboleth.sso" /> <Rule xsi:type="Requester" value="https://iam.atypon.com/shibboleth" /> <Rule xsi:type="Requester" value="https://portal.zedhia.at/saml" /> <Rule xsi:type="Requester" value="https://sp.eblib.com/shibboleth" /> <Rule xsi:type="Requester" value="https://login.intelliconnect.inta.cch.com/" /> <Rule xsi:type="Requester" value="https://shibbolethsp.jstor.org/shibboleth" /> <Rule xsi:type="Requester" value="https://shibboleth-sp.prod.proquest.com/shibboleth" /> <Rule xsi:type="Requester" value="https://elibrary.verlagoesterreich.at" /> </PolicyRequirementRule> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" /> </AttributeRule> </AttributeFilterPolicy> |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeFilterPolicy id="LibrarySPsScopedAffiliation"> <PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="Requester" value="https://shibboleth.cambridge.org/shibboleth-sp" /> <Rule xsi:type="Requester" value="https://shibboleth.highwire.org/entity/secure-sp" /> <Rule xsi:type="Requester" value="https://secure.nature.com/shibboleth" /> <Rule xsi:type="Requester" value="https://ticket.iop.org/shibboleth" /> <Rule xsi:type="Requester" value="https://shib.rsc.org/shibboleth" /> <Rule xsi:type="Requester" value="https://sp.emerald.com/sp" /> <Rule xsi:type="Requester" value="https://cas.manz.at/shibboleth" /> <Rule xsi:type="Requester" value="https://lindedigital.at/shibboleth" /> <Rule xsi:type="Requester" value="https://shib.lexisnexis.com" /> <Rule xsi:type="Requester" value="https://signin.lexisnexis.com/lnaccess/fed/authn" /> <Rule xsi:type="Requester" value="https://www.utb-studi-e-book.de/websso/metadata" /> <Rule xsi:type="Requester" value="https://elibrary.hogrefe.de" /> <Rule xsi:type="Requester" value="https://sp.ebrary.com/shibboleth" /> </PolicyRequirementRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="OR"> <Rule xsi:type="Value" value="student" ignoreCasecaseSensitive="truefalse" /> <Rule xsi:type="Value" value="staff" ignoreCasecaseSensitive="truefalse" /> <Rule xsi:type="Value" value="faculty" ignoreCasecaseSensitive="truefalse" /> <Rule xsi:type="Value" value="employee" ignoreCasecaseSensitive="truefalse" /> <Rule xsi:type="Value" value="member" ignoreCasecaseSensitive="truefalse" /> <Rule xsi:type="Value" value="library-walk-in" ignoreCasecaseSensitive="truefalse" /> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> |
...