Versions Compared

Old Version 17

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 18

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following example policy releases a bundle of attributes to any SP in the InCommon Federation by referencing the Name attribute of on the EntitiesDescriptor element in the InCommon metadata aggregate.

...

Note

Releasing attributes "to a federation" in this way assumes all of the SPs in the aggregate are equally trustworthy. If the aggregate corresponds to a single federation with adequate privacy controls, such a policy might be warranted. In other situations, it might be preferable to restrict the release release of attributes to SPs that meet certain requirements. One approach is to restrict attribute release to SPs possessing a particular entity attribute, as shown in the example below. attribute, as shown in the example below.

Release the Essential Attribute Bundle to any SP Registered by InCommon

Contributed By: Tom Scavo, Internet2

Here's a default attribute release policy that releases a bundle of attributes to any SP registered by InCommon (as indicated by an entity attribute in SP metadata):

Expand
titleShow Example
Code Block
languagexml
<AttributeFilterPolicy id="releaseEssentialAttributeBundle">

  <!-- this policy is active for a requester with the following entity attribute -->
  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/registered-by-incommon"/>

  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>

</AttributeFilterPolicy>

Release an Attribute Bundle Based on an Entity Attribute

...

The following example policy (v2.3.4 or later) releases a bundle of attributes to a Research & Scholarship Category SP in the InCommon Federation. Attribute release is based on an entity attribute in SP metadata, which is significantly easier to maintain than a policy based on entity IDs.

Expand
titleShow Example
Code Block
languagehtml/xml
<AttributeFilterPolicy id="releaseToRandS">

   <PolicyRequirementRule
  <!-- this policy is active for a requester with the following entity attribute -->
  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
 
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
 
</AttributeFilterPolicy>

...

Like the previous example, the following policy (v2.4 or later) releases a bundle of attributes to a Research & Scholarship Category SP in the InCommon Federation. As before, attribute release depends on an entity an entity attribute in SP metadata, but in this case a given attribute is released only if there is a corresponding <md:RequestedAttribute> element in SP metadata.

...