...
A common use case is enabling SAML 1 for legacy systems, often combined with either enabling queries or attribute push (to eliminate the queries). This is not handled as well via this mechanism because one generally enables most profiles by default, and it's not practical to enable them and then try and disable them for all but a few SPs. The This goal is the opposite, disable by default and enable the profiles for a few exceptions.
...
The AttributeFilterConfiguration has had support for metadata-driven configuration for a while now, but it hasn't been extensively used. A logical approach may be is to align usage with the property-driven model outlined above and move to a per-attribute policy model, in contrast to the fairly common model today of defining policies around services. Since the filter layer operates by iterating over all policies to determine if they apply, it may be more efficient for larger policy sets to redesign policies around tags that signal release of each individual attribute.
To facilitate the sharing of examples, building of tools, and a more useful set of default rules in the software, we have agreed to reserve the following SAML Attribute for use in constructing filter policies:
Name: http://shibboleth.
TBDnet/ns/attributes/releaseAllValues
NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
Values: Each value is an internal Attribute ID whose values should be released to an SP whose metadata contains the relevant tag/value.
Example
Here's an example policy (more or less matching an example in the default file) that applies this tag test:
Code Block |
---|
<AttributeFilterPolicy id="Per-Attribute-singleValued">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="NOT">
<Rule xsi:type="Value" attributeID="FERPA" value="Y" />
</Rule>
<Rule xsi:type="Value" attributeID="eduPersonScopedAffiliation" value="employee" />
<Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category"
attributeValue="urn:mace:osu.edu:shibboleth:attribute-def:FERPA" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="urn:mace:osu.edu:shibboleth:attribute-release"
attributeValue="eduPersonPrincipalName" />
</AttributeRule>
|
Reference
Bean ID | Type | Function |
---|---|---|
RelyingParty.MDDriven | RelyingPartyConfiguration | A template bean for use in defining metadata-driven RelyingParty overrides by hand |
RelyingPartyByName.MDDriven | RelyingPartyConfiguration | A template bean for defining metadata-driven RelyingParty overrides based on matching by name |
RelyingPartyByGroup.MDDriven | RelyingPartyConfiguration | A template bean for defining metadata-driven RelyingParty overrides based on matching by <EntitiesDescriptor> groups |
RelyingPartyByTag.MDDriven | RelyingPartyConfiguration | A template bean for defining metadata-driven RelyingParty overrides based on matching <EntityAttributes> extension content |
Shibboleth.SSO.MDDriven | BrowserSSOProfileConfiguration | Default metadata-driven configuration for SAML 1.1 SSO profile |
SAML1.AttributeQuery.MDDriven | AttributeQueryProfileConfiguration | Default metadata-driven configuration for SAML 1.1 Attribute Query profile |
SAML1.ArtifactResolution.MDDriven | ArtifactResolutionProfileConfiguration | Default metadata-driven configuration for SAML 1.1 Artifact Resolution profile |
SAML2.SSO.MDDriven | BrowserSSOProfileConfiguration | Default metadata-driven configuration for SAML 2.0 SSO profile |
SAML2.ECP.MDDriven | ECPProfileConfiguration | Default metadata-driven configuration for SAML 2.0 Enhanced Client/Proxy profile |
SAML2.Logout.MDDriven | Default metadata-driven configuration for SAML 2.0 Single Logout profile | |
SAML2.AttributeQuery.MDDriven | AttributeQueryProfileConfiguration | Default metadata-driven configuration for SAML 2.0 Attribute Query profile |
SAML2.ArtifactResolution.MDDriven | ArtifactResolutionProfileConfiguration | Default metadata-driven configuration for SAML 2.0 Artifact Resolution profile |
Liberty.SSOS.MDDriven | SSOSProfileConfiguration | Default metadata-driven configuration for Liberty ID-WSF Delegated SSO profile |
CAS.LoginConfiguration.MDDriven | LoginConfiguration | Default metadata-driven configuration for CAS login prototol |
CAS.ProxyConfiguration.MDDriven | ProxyConfiguration | Default metadata-driven configuration for CAS proxy login protocol |
CAS.ValidateConfiguration.MDDriven | ValidateConfiguration | Default metadata-driven configuration for CAS ticket validation protocol |
shibboleth.DefaultMDProfileAliases | List<String> | A built-in list of alternate URL "prefixes" to property names, this is used to automate the generation of property tag names that apply to all profiles at the same time. |
shibboleth.MDProfileAliases | List<String> | An optional user-supplied list of additional URL prefixes to support custom property tag names |
shibboleth.MDDrivenStringProperty | StringConfigurationLookupStrategy | Parent bean for defining new lookup strategies for string settings |
shibboleth.MDDrivenBoolProperty | BooleanConfigurationLookupStrategy | Parent bean for defining new lookup strategies for boolean settings |
shibboleth.MDDrivenIntProperty | IntegerConfigurationLookupStrategy | Parent bean for defining new lookup strategies for integer settings |
shibboleth.MDDrivenLongProperty | LongConfigurationLookupStrategy | Parent bean for defining new lookup strategies for long integer settings |
shibboleth.MDDrivenDoubleProperty | DoubleConfigurationLookupStrategy | Parent bean for defining new lookup strategies for double settings |
shibboleth.MDDrivenDurationProperty | DurationConfigurationLookupStrategy | Parent bean for defining new lookup strategies for Duration settings |
shibboleth.MDDrivenListProperty | ListConfigurationLookupStrategy | Parent bean for defining new lookup strategies for List settings |
shibboleth.MDDrivenSetProperty | SetConfigurationLookupStrategy | Parent bean for defining new lookup strategies for Set settings |
shibboleth.MDDrivenBeanProperty | BeanConfigurationLookupStrategy | Parent bean for defining new lookup strategies for arbitrary Spring bean settings |